Open Redirect Vulnerability in OAuth Callback

[revise-dev]

In sessions_controller.rb (line 7-8), the code uses omniauth.origin as a redirect destination without validation:

redirect_path = request.env["omniauth.origin"] || root_path
redirect_to redirect_path

This could potentially be exploited for open redirect attacks where an attacker crafts a malicious OAuth login URL that redirects to an external site after authentication. While the impact is somewhat mitigated because it only affects post-authentication redirects, it could still be used for phishing attacks.

The original intent was to provide a convenient way to return users to their previous page after logging in, but the implementation needs proper validation.

To fix this, implement strict validation of the redirect path:

def safe_redirect_path(path)
  return root_path unless path.present?
  parsed_path = URI.parse(path)
  return root_path unless parsed_path.relative? && parsed_path.path.start_with?('/')
  path
rescue URI::InvalidURIError
  root_path
end

# In the create action:
redirect_path = safe_redirect_path(request.env["omniauth.origin"]) || root_path
redirect_to redirect_path

This ensures the redirect can only go to paths within your application domain.

Note

This issue was created automatically by Revise as part of a routine security audit.
A pull request will be opened shortly to address this issue.