Skip to content

fix: add validation for SAML SLO redirect URLs #38994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
julio-rocketchat merged 9 commits into from
Mar 26, 2026
Merged

fix: add validation for SAML SLO redirect URLs #38994

Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f574d8c
fix: add validation for SAML SLO redirect URLs
yasnagat Feb 24, 2026
fd4998d
Normalize path comparison for redirect validation
yasnagat Feb 27, 2026
8411cf9
Merge branch 'develop' into saml-redirect-validation
yasnagat Feb 27, 2026
6843866
Update apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts
yasnagat Mar 3, 2026
568e6c3
add changeset file
yasnagat Mar 4, 2026
0e154f3
Merge branch 'develop' into saml-redirect-validation
julio-rocketchat Mar 17, 2026
3346067
Update apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts
julio-rocketchat Mar 19, 2026
7dd041a
Merge branch 'develop' into saml-redirect-validation
julio-rocketchat Mar 19, 2026
6b923a5
Merge branch 'develop' into saml-redirect-validation
yasnagat Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 44 additions & 4 deletions apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ export class SAML {
case 'logout':
return this.processLogoutAction(req, res, service);
case 'sloRedirect':
return this.processSLORedirectAction(req, res);
return this.processSLORedirectAction(req, res, service);
case 'authorize':
return this.processAuthorizeAction(res, service, samlObject);
case 'validate':
Expand Down Expand Up @@ -391,11 +391,51 @@ export class SAML {
});
}

private static processSLORedirectAction(req: IIncomingMessage, res: ServerResponse): void {
private static processSLORedirectAction(req: IIncomingMessage, res: ServerResponse, service: IServiceProviderOptions): void {
const { idpSLORedirectURL } = service;
const userRedirect = req.query.redirect as string;
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Comment thread
cubic-dev-ai[bot] marked this conversation as resolved.

if (!idpSLORedirectURL) {
res.writeHead(500);
res.end('SLO redirect not configured');
return;
}

if (!userRedirect) {
Comment thread
yasnagat marked this conversation as resolved.
Outdated
res.writeHead(400);
res.end('Missing redirect parameter');
return;
}

let configuredURL: URL;
let requestURL: URL;

try {
configuredURL = new URL(idpSLORedirectURL);
requestURL = new URL(userRedirect);
} catch {
res.writeHead(400);
res.end('Invalid URL format');
return;
Comment thread
julio-rocketchat marked this conversation as resolved.
}

if (configuredURL.origin !== requestURL.origin) {
res.writeHead(403);
res.end('Unauthorized redirect origin');
return;
}

const normalizePath = (p: string): string => p.replace(/\/+$/, '') || '/';
if (normalizePath(configuredURL.pathname) !== normalizePath(requestURL.pathname)) {
res.writeHead(403);
res.end('Unauthorized redirect path');
return;
}

res.writeHead(302, {
// credentialToken here is the SAML LogOut Request that we'll send back to IDP
Location: req.query.redirect,
Location: requestURL.toString(),
Comment thread
julio-rocketchat marked this conversation as resolved.
});

res.end();
}

Expand Down
Loading