Javascript redirect vulnerability

Question

Say I store the url path in a query parameter like /?return_back_to=/foo/bar

Then pass this to some external auth service like Microsoft, which does the login and returns to the same url with my query parameter.

At this point, is it safe to get the value from the query parameter and redirect using React navigate() to this url? Or is this considered an "open redirect vulnerability" ?

Answer 1

On the surface, as long as you follow a bunch of best practices and validate the query parameter, it should be save to use it, and would not be "open redirect vulnerability".

You mentioned using Microsoft auth service, which i personally don't have that much experience with, but I have used firebase and google auth a lot and I know that they automatically check and if the redirect URL is not whitelisted it will not work. firebase automatically adds localhost and your app domain to whitelist and you can add more if you have external links that you would like your users to be redirected to.

source 1: https://support.google.com/firebase/answer/6400741?hl=en

source 2: https://support.google.com/firebase/answer/9021429?hl=en

in terms of it being safe to use react navigate() when users are actually back to your app, you should make sure to either check the URL against a local whitelist or just add your app domain to the URL before redirecting the users.

navigate({safeDomain} + {query parameter})

Although I should mention that if by navigate() you are refering to useNavigate() hook, I dont think you can use it for that, and you need to use redirect() .

some more useful information for mitigating against open redirect vulnerability

I hope this was helpful!