fix(iframe-app): prevent client-side open redirect in EasyAuth login popup#9373
Open
rllyy97 wants to merge 2 commits into
Open
fix(iframe-app): prevent client-side open redirect in EasyAuth login popup#9373rllyy97 wants to merge 2 commits into
rllyy97 wants to merge 2 commits into
Conversation
…popup The EasyAuth login popup built its target URL by concatenating the (user-influenceable) baseUrl and signInEndpoint and passed it straight to window.open, which CodeQL flagged as a client-side open-redirect sink (SM05376 / CWE-601, alert #100). Normalize the URL with the URL constructor and strictly validate it before opening: enforce https (http allowed only for localhost during dev), allow the hosting page's own origin, and otherwise require a trusted *.logic.azure.com / *.logic-apps.azure.com host. Untrusted or malformed URLs are rejected via onFailed and never reach window.open. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
🤖 AI PR Validation ReportPR Review ResultsThank you for your submission! Here's detailed feedback on your PR title and body compliance:✅ PR Title
✅ Commit Type
|
| Section | Status | Recommendation |
|---|---|---|
| Title | ✅ | No changes needed |
| Commit Type | ✅ | No changes needed |
| Risk Level | ✅ | Matches label/body; optional reconsideration only if your team treats security fixes as medium |
| What & Why | ✅ | No changes needed |
| Impact of Change | ✅ | No changes needed |
| Test Plan | ✅ | Unit tests in diff satisfy the requirement |
| Contributors | Optional: add contributors if applicable | |
| Screenshots/Videos | ✅ | N/A is appropriate |
Overall: this PR passes. The advised risk level remains low, matching the submitter’s assessment.
Last updated: Tue, 07 Jul 2026 17:43:01 GMT
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a CodeQL “Client-side Open URL redirect” finding in the iframe-app EasyAuth login flow by validating the computed login URL before passing it to window.open, preventing attacker-influenced navigation to untrusted origins.
Changes:
- Added
getValidatedLoginUrl()plus a Logic Apps domain allowlist to normalize/validate login popup URLs. - Updated
openLoginPopupto block untrusted/invalid URLs and invokeonFailedinstead of opening the popup. - Added unit tests covering trusted cross-origin domains and several blocked URL cases (untrusted origin, userinfo
@escape attempt, non-HTTPS, malformed URL).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| apps/iframe-app/src/lib/authHandler.ts | Adds URL normalization/allowlist validation and blocks unsafe window.open navigation. |
| apps/iframe-app/src/lib/tests/authHandler.test.ts | Adds test coverage for allowed/blocked login popup URLs. |
- Reject login popup URLs that embed userinfo (user:pass@host), a URL spoofing vector, even when the host is otherwise trusted - Extract the trusted Logic Apps domain allowlist into a shared trusted-domains module so authHandler and config-parser can't drift - Make LoginPopupOptions.signInEndpoint required to match IdentityProvider - Add a test covering userinfo rejection on a trusted host Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
📊 Coverage Check🎉 All changed files have adequate test coverage! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Type
Risk Level
What & Why
Fixes CodeQL code-scanning alert #100 — Client-side Open URL redirect (
SM05376, CWE-601 / CWE-79).The iframe-app EasyAuth login popup (
openLoginPopupinapps/iframe-app/src/lib/authHandler.ts) built its target URL by concatenating thebaseUrlandsignInEndpointoptions and passed the result straight towindow.open. Those values ultimately derive fromwindow.location(via theagentCardURL parameter), so CodeQL flagged thewindow.opencall as an open-redirect sink — a crafted value could navigate the login popup to a malicious origin (e.g.https://trusted@evil.example.net/...).The fix adds
getValidatedLoginUrl(), which normalizes the URL with theURLconstructor and strictly validates it before opening — the exact pattern recommended in the alert guidance (normalize as a URL object, then strict origin/host match):https:(allowshttp:only forlocalhost/127.0.0.1during local development).window.location.origin) — EasyAuth lives on the app's own origin.*.logic.azure.com/*.logic-apps.azure.com), kept in sync with the existingagentCardallowlist inconfig-parser.ts.onFailedcallback and never reachwindow.open.Impact of Change
openLoginPopupgains an internal validation step; untrusted inputs now surface through the existingonFailedcallback.Test Plan
vitestrun (apps/iframe-app)Added unit tests in
authHandler.test.tscovering: a trusted cross-origin Logic Apps domain (allowed), an untrusted origin (blocked), a sign-in endpoint escaping the base origin via userinfo@(blocked), a non-HTTPS non-localhost URL (blocked), and a malformed URL (blocked). All existingopenLoginPopuptests continue to pass.authHandler.test.ts— 41 tests passiframe-appsuite — 280 passed / 1 skippedbiome checkclean on changed filesContributors
Screenshots/Videos
N/A — no visual changes.