FIX: respond with 400 error on invalid redirect param

FIX: respond with 400 error on invalid redirect param

diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index 991c9c9..40b5efa 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -89,8 +89,10 @@ class StaticController < ApplicationController
 
     destination = path("/")
 
-    redirect_location = params[:redirect].to_s
-    if redirect_location.present? && !redirect_location.match(login_path)
+    redirect_location = params[:redirect]
+    if redirect_location.present? && !redirect_location.is_a?(String)
+      raise Discourse::InvalidParameters.new(:redirect)
+    elsif redirect_location.present? && !redirect_location.match(login_path)
       begin
         forum_uri = URI(Discourse.base_url)
         uri = URI(redirect_location)
diff --git a/spec/requests/static_controller_spec.rb b/spec/requests/static_controller_spec.rb
index 73ce3ff..dce1d05 100644
--- a/spec/requests/static_controller_spec.rb
+++ b/spec/requests/static_controller_spec.rb
@@ -286,7 +286,12 @@ describe StaticController do
     context 'with an array' do
       it "redirects to the root" do
         post "/login.json", params: { redirect: ["/foo"] }
-        expect(response).to redirect_to('/')
+        expect(response.status).to eq(400)
+        json = JSON.parse(response.body)
+        expect(json["errors"]).to be_present
+        expect(json["errors"]).to include(
+          I18n.t("invalid_params", message: "redirect")
+        )
       end
     end

GitHub sha: 863d8014

2 Likes