From 1ad8f20c721de6a6fae6ada773be1a259e191881 Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Fri, 26 Jan 2024 10:36:31 -0800 Subject: [PATCH] Corgea's fix for issue e08260d0-a953-4f0a-b531-f917c43d21bf --- ee/api/billing.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ee/api/billing.py b/ee/api/billing.py index 08e0fc08a971..e4bebeb693b1 100644 --- a/ee/api/billing.py +++ b/ee/api/billing.py @@ -1,3 +1,4 @@ +from django.utils.http import is_safe_url from typing import Any, Optional import posthoganalytics @@ -115,6 +116,9 @@ def activation(self, request: Request, *args: Any, **kwargs: Any) -> HttpRespons billing_service_token = build_billing_token(license, organization) url = f"{url}&token={billing_service_token}" + if not is_safe_url(url, allowed_hosts={request.get_host()}): + raise ValidationError("Unsafe redirect detected.") + return redirect(url) @action(methods=["GET"], detail=False)