Fix _allow_redirect function to reject absolute URLs

This fixes a security issue:
- attacker can crafts a redirect URL to an external site
- attacker gets victim to click on it
- victim logs in
- after login, Healthchecks redirects victim to the external site

The _allow_redirect function now additionally
requires the redirect URL is relative (has no scheme or domain).

CHANGELOG.md

@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file.
 ### Bug Fixes
 - Fix dark mode styling issues in Cron Syntax Cheatsheet
 - Fix a 403 when transferring a project to a read-only team member
+- Security: fix allow_redirect function to reject absolute URLs
 
 ## v1.21.0 - 2020-07-02
 

hc/accounts/tests/test_login.py

@@ -95,8 +95,14 @@ class LoginTestCase(BaseTestCase):
     def test_it_handles_bad_next_parameter(self):
         form = {"action": "login", "email": "alice@example.org", "password": "password"}
 
-        r = self.client.post("/accounts/login/?next=/evil/", form)
-        self.assertRedirects(r, self.checks_url)
+        samples = [
+            "/evil/",
+            f"https://example.org/projects/{self.project.code}/checks/",
+        ]
+
+        for sample in samples:
+            r = self.client.post("/accounts/login/?next=" + sample, form)
+            self.assertRedirects(r, self.checks_url)
 
     def test_it_handles_wrong_password(self):
         form = {

hc/accounts/views.py

@@ -54,6 +54,10 @@ def _allow_redirect(redirect_url):
         return False
 
     parsed = urlparse(redirect_url)
+    if parsed.netloc:
+        # Allow redirects only to relative URLs
+        return False
+
     try:
         match = resolve(parsed.path)
     except Resolver404: