fix: prevent open redirect in redirect back via referrer host validation

Add config-driven security controls for redirect back. The referrer URL
is now validated against the request Host header and a configurable
allowedHosts list. Introduce a getPreviousUrl helper and expose it on
both the Request and Redirect classes. The Redirect class now extends
Macroable so getPreviousUrl can be overridden for custom resolution
(e.g. session-based). Also add config options for forwardQueryString
default and a withQs(boolean) overload.

Author: thetutlage

factories/response.ts

@@ -45,6 +45,10 @@ export class HttpResponseFactory {
       etag: false,
       serializeJSON: safeStringify,
       jsonpCallbackName: 'callback',
+      redirect: {
+        allowedHosts: [] as string[],
+        forwardQueryString: false,
+      },
       cookie: {
         maxAge: 90,
         path: '/',

src/define_config.ts

@@ -57,6 +57,10 @@ export function defineConfig(config: UserDefinedServerConfig): ServerConfig {
     useAsyncLocalStorage: false,
     etag: false,
     jsonpCallbackName: 'callback',
+    redirect: {
+      allowedHosts: [] as string[],
+      forwardQueryString: false,
+    },
     cookie: {
       maxAge: '2h',
       path: '/',

src/helpers.ts

@@ -7,6 +7,7 @@
  * file that was distributed with this source code.
  */
 
+import type { IncomingHttpHeaders } from 'node:http'
 import { serialize } from 'cookie-es'
 // @ts-expect-error
 import matchit from '@poppinss/matchit'
@@ -30,6 +31,49 @@ import {
 
 export { createURL }
 
+/**
+ * Returns the previous URL from the request's `Referer` header,
+ * validated against the request's `Host` header and an optional
+ * list of allowed hosts.
+ *
+ * The referrer is accepted when its host matches the request's
+ * `Host` header or is listed in `allowedHosts`. Otherwise the
+ * `fallback` value is returned.
+ *
+ * @param headers - The incoming request headers
+ * @param allowedHosts - Array of allowed referrer hosts
+ * @param fallback - URL to return when referrer is missing or invalid
+ */
+export function getPreviousUrl(
+  headers: IncomingHttpHeaders,
+  allowedHosts: string[],
+  fallback: string
+): string {
+  let referrer = headers['referer'] || headers['referrer']
+  if (!referrer) {
+    return fallback
+  }
+
+  if (Array.isArray(referrer)) {
+    referrer = referrer[0]
+  }
+
+  try {
+    const parsed = new URL(referrer)
+    const host = headers['host']
+    if (host && parsed.host === host) {
+      return referrer
+    }
+    if (allowedHosts.length > 0 && allowedHosts.includes(parsed.host)) {
+      return referrer
+    }
+  } catch {
+    // malformed URL
+  }
+
+  return fallback
+}
+
 /**
  * This function is similar to the intrinsic function encodeURI. However, it will not encode:
  *  - The \, ^, or | characters

src/redirect.ts

@@ -11,9 +11,10 @@ import type { IncomingMessage } from 'node:http'
 
 import debug from './debug.ts'
 import type { Qs } from './qs.ts'
-import { encodeUrl } from './helpers.ts'
+import { encodeUrl, getPreviousUrl } from './helpers.ts'
 import type { Router } from './router/main.ts'
 import type { HttpResponse } from './response.ts'
+import type { ResponseConfig } from './types/response.ts'
 import type {
   RoutesList,
   LookupList,
@@ -22,6 +23,7 @@ import type {
   RouteBuilderArguments,
 } from './types/url_builder.ts'
 import { safeDecodeURI } from './utils.ts'
+import Macroable from '@poppinss/macroable'
 
 /**
  * Provides a fluent API for constructing HTTP redirect responses.
@@ -45,7 +47,13 @@ import { safeDecodeURI } from './utils.ts'
  *   .toPath('/dashboard')
  * ```
  */
-export class Redirect {
+export class Redirect extends Macroable {
+  /**
+   * Array of allowed hosts for referrer-based redirects.
+   * When empty, only the request's own host is allowed.
+   */
+  allowedHosts: string[]
+
   /**
    * Flag indicating whether to forward the existing query string from the current request
    */
@@ -87,12 +95,22 @@ export class Redirect {
    * @param response - AdonisJS response instance
    * @param router - AdonisJS router instance
    * @param qs - Query string parser instance
+   * @param config - Redirect configuration
    */
-  constructor(request: IncomingMessage, response: HttpResponse, router: Router, qs: Qs) {
+  constructor(
+    request: IncomingMessage,
+    response: HttpResponse,
+    router: Router,
+    qs: Qs,
+    config: ResponseConfig['redirect']
+  ) {
+    super()
     this.#request = request
     this.#response = response
     this.#router = router
     this.#qs = qs
+    this.allowedHosts = config.allowedHosts
+    this.#forwardQueryString = config.forwardQueryString
   }
 
   /**
@@ -113,12 +131,17 @@ export class Redirect {
   }
 
   /**
-   * Extracts and returns the referrer URL from request headers
-   * @returns {string} The referrer URL or '/' if not found
+   * Returns the previous URL for redirect back. By default reads
+   * the `Referer` header and validates the host.
+   *
+   * Since `Redirect` extends `Macroable`, this method can be overridden
+   * to implement custom logic such as session-based previous URL
+   * resolution.
+   *
+   * @param fallback - URL to return when no valid previous URL is found
    */
-  #getReferrerUrl(): string {
-    let url = this.#request.headers['referer'] || this.#request.headers['referrer'] || '/'
-    return Array.isArray(url) ? url[0] : url
+  getPreviousUrl(fallback: string): string {
+    return getPreviousUrl(this.#request.headers, this.allowedHosts, fallback)
   }
 
   /**
@@ -157,6 +180,23 @@ export class Redirect {
    * ```
    */
   withQs(): this
+  /**
+   * Enables or disables query string forwarding from the current request.
+   *
+   * Use this overload to explicitly control query string forwarding,
+   * especially useful when `forwardQueryString` is enabled by default
+   * in the redirect config and you want to disable it for a specific redirect.
+   *
+   * @param forward - Whether to forward the query string
+   * @returns The Redirect instance for method chaining
+   *
+   * @example
+   * ```ts
+   * // Disable query string forwarding for this redirect
+   * response.redirect().withQs(false).toPath('/dashboard')
+   * ```
+   */
+  withQs(forward: boolean): this
   /**
    * Adds multiple query string parameters to the redirect URL
    *
@@ -190,12 +230,17 @@ export class Redirect {
    * ```
    */
   withQs(name: string, value: any): this
-  withQs(name?: Record<string, any> | string, value?: any): this {
+  withQs(name?: Record<string, any> | string | boolean, value?: any): this {
     if (typeof name === 'undefined') {
       this.#forwardQueryString = true
       return this
     }
 
+    if (typeof name === 'boolean') {
+      this.#forwardQueryString = name
+      return this
+    }
+
     if (typeof name === 'string') {
       this.#queryString[name] = value
       return this
@@ -206,20 +251,21 @@ export class Redirect {
   }
 
   /**
-   * Redirects to the previous path using the Referer header
-   * Falls back to '/' if no referrer is found
+   * Redirects to the previous URL resolved via `getPreviousUrl`.
+   *
+   * @param fallback - URL to redirect to when no valid previous URL is found
    */
-  back() {
+  back(fallback: string = '/') {
     let query: Record<string, any> = {}
 
-    const referrerUrl = this.#getReferrerUrl()
-    const url = safeDecodeURI(referrerUrl, false)
+    const previousUrl = this.getPreviousUrl(fallback)
+    const url = safeDecodeURI(previousUrl, false)
 
-    debug('referrer url "%s"', referrerUrl)
-    debug('referrer base url "%s"', url.pathname)
+    debug('previous url "%s"', previousUrl)
+    debug('previous base url "%s"', url.pathname)
 
     /**
-     * Parse query string from the referrer url
+     * Parse query string from the previous url
      */
     if (this.#forwardQueryString) {
       query = this.#qs.parse(url.query || '')

src/request.ts

@@ -21,6 +21,7 @@ import { type ServerResponse, type IncomingMessage, type IncomingHttpHeaders } f
 
 import type { Qs } from './qs.ts'
 import { CookieParser } from './cookies/parser.ts'
+import { getPreviousUrl } from './helpers.ts'
 import { safeDecodeURI, trustProxy } from './utils.ts'
 import { type RequestConfig } from './types/request.ts'
 import type { HttpContext } from './http_context/main.ts'
@@ -697,6 +698,21 @@ export class HttpRequest extends Macroable {
     return `${protocol}://${hostname}${this.url(includeQueryString)}`
   }
 
+  /**
+   * Returns the previous URL from the `Referer` header, validated against
+   * the request's `Host` header and an optional list of allowed hosts.
+   *
+   * The referrer is accepted when its host matches the request's `Host`
+   * header or is listed in `allowedHosts`. Otherwise the `fallback`
+   * value is returned.
+   *
+   * @param allowedHosts - Array of allowed referrer hosts
+   * @param fallback - URL to return when referrer is missing or invalid
+   */
+  getPreviousUrl(allowedHosts: string[], fallback: string = '/'): string {
+    return getPreviousUrl(this.request.headers, allowedHosts, fallback)
+  }
+
   /**
    * Find if the current HTTP request is for the given route or the routes
    * @param routeIdentifier - Route name, pattern, or handler reference to match

src/response.ts

@@ -1038,7 +1038,7 @@ export class HttpResponse extends Macroable {
     forwardQueryString: boolean = false,
     statusCode: number = ResponseStatus.Found
   ): Redirect | void {
-    const handler = new Redirect(this.request, this, this.#router, this.#qs)
+    const handler = new Redirect(this.request, this, this.#router, this.#qs, this.#config.redirect)
 
     if (forwardQueryString) {
       handler.withQs()

src/types/response.ts

@@ -67,6 +67,27 @@ export type ResponseConfig = {
    * Default options to apply when setting cookies
    */
   cookie: Partial<CookieOptions>
+
+  /**
+   * Configuration for HTTP redirects
+   */
+  redirect: {
+    /**
+     * Array of allowed hosts for referrer-based redirects.
+     * When empty, only the request's own host is allowed.
+     *
+     * Defaults to []
+     */
+    allowedHosts: string[]
+
+    /**
+     * Whether to forward the query string from the current request
+     * by default on redirects.
+     *
+     * Defaults to false
+     */
+    forwardQueryString: boolean
+  }
 }
 
 /**

tests/redirect.spec.ts

@@ -140,8 +140,8 @@ test.group('Redirect', () => {
       response.finish()
     })
 
-    const { header } = await supertest(url).get('/').set('referrer', '/foo').redirects(1)
-    assert.equal(header.location, '/foo')
+    const { header } = await supertest(url).get('/').set('referrer', `${url}/foo`).redirects(1)
+    assert.equal(header.location, `${url}/foo`)
   })
 
   test('redirect back to referrer with existing query string', async ({ assert }) => {
@@ -152,9 +152,12 @@ test.group('Redirect', () => {
       response.finish()
     })
 
-    const { header } = await supertest(url).get('/').set('referrer', '/foo?name=virk').redirects(1)
+    const { header } = await supertest(url)
+      .get('/')
+      .set('referrer', `${url}/foo?name=virk`)
+      .redirects(1)
 
-    assert.equal(header.location, '/foo?name=virk')
+    assert.equal(header.location, `${url}/foo?name=virk`)
   })
 
   test('redirect back to referrer with query string', async ({ assert }) => {
@@ -165,9 +168,12 @@ test.group('Redirect', () => {
       response.finish()
     })
 
-    const { header } = await supertest(url).get('/').set('referer', '/foo?name=virk').redirects(1)
+    const { header } = await supertest(url)
+      .get('/')
+      .set('referer', `${url}/foo?name=virk`)
+      .redirects(1)
 
-    assert.equal(header.location, '/foo?name=virk')
+    assert.equal(header.location, `${url}/foo?name=virk`)
   })
 
   test('redirect back to root (/) when referrer header is not set', async ({ assert }) => {