flows: fix potential open redirect vuln

passbook/flows/views.py

@@ -22,7 +22,7 @@ from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableExcep
 from passbook.flows.models import Flow, FlowDesignation, Stage
 from passbook.flows.planner import FlowPlan, FlowPlanner
 from passbook.lib.utils.reflection import class_to_path, path_to_class
-from passbook.lib.utils.urls import redirect_with_qs
+from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
 from passbook.lib.views import bad_request_message
 
 LOGGER = get_logger()
@@ -50,8 +50,9 @@ class FlowExecutorView(View):
     def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
         """When a flow is non-applicable check if user is on the correct domain"""
         if NEXT_ARG_NAME in self.request.GET:
-            LOGGER.debug("f(exec): Redirecting to next on fail")
-            return redirect(self.request.GET.get(NEXT_ARG_NAME))
+            if not is_url_absolute(self.request.GET.get(NEXT_ARG_NAME)):
+                LOGGER.debug("f(exec): Redirecting to next on fail")
+                return redirect(self.request.GET.get(NEXT_ARG_NAME))
         message = exc.__doc__ if exc.__doc__ else str(exc)
         return bad_request_message(self.request, message)
 

scripts/ci.docker-compose.yml

@@ -0,0 +1,25 @@
+version: '3.7'
+
+services:
+  postgresql:
+    container_name: postgres
+    image: postgres:11
+    volumes:
+    - db-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: passbook
+      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+      POSTGRES_DB: passbook
+    ports:
+    - 5432:5432
+    restart: always
+  redis:
+    container_name: redis
+    image: redis
+    ports:
+    - 6379:6379
+    restart: always
+
+volumes:
+  db-data:
+    driver: local

scripts/prometheus/grafana.helm.yaml

@@ -1,10 +0,0 @@
-ingress:
-  enabled: true
-  hosts:
-    - some.address.tld
-
-grafana.ini:
-  auth.anonymous:
-    enabled: true
-    org_name: Main Org.
-    org_role: Viewer

scripts/prometheus/instance.yaml

@@ -1,63 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-    name: prometheus
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-    name: prometheus
-rules:
-    - apiGroups: [""]
-      resources:
-          - nodes
-          - services
-          - endpoints
-          - pods
-      verbs: ["get", "list", "watch"]
-    - apiGroups: [""]
-      resources:
-          - configmaps
-      verbs: ["get"]
-    - nonResourceURLs: ["/metrics"]
-      verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-    name: prometheus
-roleRef:
-    apiGroup: rbac.authorization.k8s.io
-    kind: ClusterRole
-    name: prometheus
-subjects:
-    - kind: ServiceAccount
-      name: prometheus
-      namespace: prod-passbook-ng
----
-apiVersion: monitoring.coreos.com/v1
-kind: Prometheus
-metadata:
-    name: prometheus
-spec:
-    serviceAccountName: prometheus
-    serviceMonitorSelector:
-        matchLabels:
-            app.kubernetes.io/name: passbook
-    enableAdminAPI: false
-    ruleSelector:
-        matchLabels:
-            app.kubernetes.io/name: passbook
-    storage:
-        volumeClaimTemplate:
-            metadata:
-                labels:
-                    prometheus: k8s
-                name: prometheus-storage
-            spec:
-                accessModes:
-                    - ReadWriteOnce
-                resources:
-                    requests:
-                        storage: 15Gi