fix(web): prevent XSS via OAuth redirect URL validation

[msukkari]

Summary

This PR fixes the CodeQL security alert #33 (js/xss-through-exception) which flagged XSS vulnerabilities in the OAuth consent screen.

Fixes #928

Changes

1. Added URL Validation Utility

Added validateOAuthRedirectUrl() function to packages/web/src/lib/utils.ts that:

• Blocks dangerous protocols: javascript:, data:, vbscript:
• Allows safe protocols: http:, https:, and custom app protocols (e.g., cursor://, vscode://, claude://)
• Returns null for invalid URLs or dangerous protocols

2. Fixed OAuth Consent Screen (consentScreen.tsx)

• Lines 50 & 67: Added URL validation before window.location.href navigation in both onApprove() and onDeny() flows
• Line 53: Removed error message interpolation from toast descriptions (previously ${result.message}) to use static error messages, preventing XSS via exception text

3. Fixed OAuth Complete Page (complete/page.tsx)

• Added URL validation before window.location.href navigation
• Added error state to display a user-friendly message if the redirect URL is invalid

4. Added Unit Tests

Added comprehensive tests in packages/web/src/lib/utils.test.ts covering:

• Blocking of dangerous protocols (javascript:, data:, vbscript:)
• Allowing of safe protocols (https:, http:, custom app protocols)
• Handling of malformed URLs

Security Impact

• Prevents potential XSS attacks via javascript: URI injection in OAuth redirect URLs
• Prevents XSS via error message interpolation in toast notifications
• Maintains backward compatibility with legitimate OAuth clients using custom protocols

Testing

• All 271 tests pass
• Lint passes with no new warnings
• New utility function has 10 dedicated unit tests

Linear Issue: SOU-928

  

Summary by CodeRabbit

• Bug Fixes
  • Redirects after authorization are now validated before navigation; invalid redirects show an “Invalid redirect URL” notification instead of navigating.
  • Improved handling of approval/denial flows so pending state is cleared on failures or invalid redirects.
  • Authorization error messaging standardized to present consistent, user-friendly notifications when requests fail.

[coderabbitai]

Walkthrough

Validate OAuth redirect URLs returned by approve/deny flows before assigning to window.location; show an "Invalid redirect URL" or failure toast and clear pending when validation fails or on errors.

Changes

Cohort / File(s)	Summary
Consent screen logic packages/web/src/app/oauth/authorize/components/consentScreen.tsx	Validate redirect URL from approveAuthorization / denyAuthorization before using it; conditional navigation only on validated URL, show toasts on invalid/error cases, and ensure setPending(null) is called in explicit branches rather than unconditionally.
URL validation util packages/web/src/lib/utils.ts	Added exported `validateOAuthRedirectUrl(url: string): string

Sequence Diagram(s)

sequenceDiagram
  participant User as "User"
  rect rgba(220,240,255,0.5)
  participant UI as "ConsentScreen UI"
  end
  rect rgba(240,255,220,0.5)
  participant AuthAPI as "approve/denyAuthorization (API)"
  end
  rect rgba(255,240,220,0.5)
  participant Validator as "validateOAuthRedirectUrl"
  end
  participant Browser as "window.location"
  
  User->>UI: Click Approve / Deny
  UI->>AuthAPI: call approveAuthorization / denyAuthorization
  AuthAPI-->>UI: returns { success, redirectUrl?, message? }
  UI->>Validator: validateOAuthRedirectUrl(redirectUrl)
  alt valid URL
    Validator-->>UI: normalized URL
    UI->>Browser: set window.location.href = normalized URL
  else invalid / parse error
    Validator-->>UI: null
    UI->>UI: show "Invalid redirect URL" / failure toast
    UI->>UI: setPending(null)
  end
  alt API error
    AuthAPI-->>UI: error
    UI->>UI: show failure toast
    UI->>UI: setPending(null)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix(web): handle duplicate resource query params in OAuth authorize endpoint #987: Modifies the same consentScreen approval/redirect logic (approve/deny flows, redirect handling, pending state and toast behavior).

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR objectives describe fixing OAuth XSS vulnerabilities and updating consent screens, but the linked issue #928 concerns filterByFilepaths in search queries—unrelated coding requirements.	Verify that issue #928 is the intended linked issue or link the actual OAuth security issue instead. The current PR does not address filterByFilepaths functionality.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: preventing XSS vulnerabilities through OAuth redirect URL validation.
Out of Scope Changes check	✅ Passed	All changes (validateOAuthRedirectUrl utility, consentScreen.tsx validation, and complete/page.tsx handling) directly address OAuth XSS prevention as stated in PR objectives; no unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-xss-oauth-consent-8415

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/web/src/app/oauth/complete/page.tsx`:
- Around line 13-18: The decodeURIComponent call is redundant and can corrupt or
throw for valid callback URLs; in the OAuth redirect flow replace usage of
decodeURIComponent(url) with the raw value from URLSearchParams.get('url') and
pass that directly into validateOAuthRedirectUrl, i.e., remove the decode step
around the string returned by URLSearchParams.get and then, if
validateOAuthRedirectUrl(validated) returns a URL, assign it to
window.location.href; update the logic in the component around the
validateOAuthRedirectUrl call to use the raw url variable instead of decodedUrl.

In `@packages/web/src/lib/utils.ts`:
- Around line 608-618: validateOAuthRedirectUrl currently uses a denylist of
protocols which allows unsafe schemes; replace it with an explicit allowlist:
permit "https:" always, permit "http:" only when hostname is "localhost",
"127.0.0.1" or "::1" (allow optional ports), and permit only well-known
registered custom schemes if your app supports them (otherwise reject other
schemes); update the function validateOAuthRedirectUrl to parse the URL, check
protocol against this allowlist, enforce the http host restriction, and return
null for any other schemes (ensuring blob:, file:, ftp:, intent:, etc. are
rejected).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9893d124-a944-4f24-ac61-5289cee896c7

📥 Commits

Reviewing files that changed from the base of the PR and between 2c89825 and 37ddf97.

📒 Files selected for processing (5)

• CHANGELOG.md
• packages/web/src/app/oauth/authorize/components/consentScreen.tsx
• packages/web/src/app/oauth/complete/page.tsx
• packages/web/src/lib/utils.test.ts
• packages/web/src/lib/utils.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Demonstrate that URLSearchParams.get already decodes and that a second decode mutates/throws.
node <<'NODE'
const original = 'cursor://callback?state=a%2Fb';
const query = `url=${encodeURIComponent(original)}`;
const valueFromSearchParams = new URLSearchParams(query).get('url');

console.log('after URLSearchParams.get:', valueFromSearchParams);
console.log('after second decode:', decodeURIComponent(valueFromSearchParams));

try {
  decodeURIComponent('cursor://callback?state=%E0%A4%A');
} catch (error) {
  console.log('decodeURIComponent throws:', error.name);
}
NODE

Repository: sourcebot-dev/sourcebot

Length of output: 208

---

🏁 Script executed:

#!/bin/bash
# Verify the file exists and read the relevant lines
if [ -f "packages/web/src/app/oauth/complete/page.tsx" ]; then
  echo "=== File exists ==="
  wc -l packages/web/src/app/oauth/complete/page.tsx
  echo ""
  echo "=== Lines 1-30 ==="
  head -30 packages/web/src/app/oauth/complete/page.tsx | cat -n
else
  echo "File does not exist"
fi

Repository: sourcebot-dev/sourcebot

Length of output: 1554

---

🏁 Script executed:

#!/bin/bash
# Find and read the validateOAuthRedirectUrl function
fd -t f "utils\.(ts|tsx|js|jsx)$" packages/web/src/lib/ -x grep -l "validateOAuthRedirectUrl"

Repository: sourcebot-dev/sourcebot

Length of output: 96

---

🏁 Script executed:

#!/bin/bash
# Read the utils.ts file to find validateOAuthRedirectUrl function
cat -n packages/web/src/lib/utils.ts

Repository: sourcebot-dev/sourcebot

Length of output: 23417

---

Remove the redundant decodeURIComponent() call.

URLSearchParams.get('url') already returns a decoded string. Decoding again corrupts valid callback URLs—for example, state=a%2Fb becomes state=a/b, breaking the intended payload. It can also throw URIError on malformed percent-encoded sequences, leaving the page stuck at "Redirecting…".

🐛 Proposed fix

         const url = new URLSearchParams(window.location.search).get('url');
         if (url) {
-            const decodedUrl = decodeURIComponent(url);
-            const validatedUrl = validateOAuthRedirectUrl(decodedUrl);
+            const validatedUrl = validateOAuthRedirectUrl(url);
             if (validatedUrl) {
                 window.location.href = validatedUrl;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const url = new URLSearchParams(window.location.search).get('url');
	if (url) {
	window.location.href = decodeURIComponent(url);
	const decodedUrl = decodeURIComponent(url);
	const validatedUrl = validateOAuthRedirectUrl(decodedUrl);
	if (validatedUrl) {
	window.location.href = validatedUrl;
	const url = new URLSearchParams(window.location.search).get('url');
	if (url) {
	const validatedUrl = validateOAuthRedirectUrl(url);
	if (validatedUrl) {
	window.location.href = validatedUrl;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/app/oauth/complete/page.tsx` around lines 13 - 18, The
decodeURIComponent call is redundant and can corrupt or throw for valid callback
URLs; in the OAuth redirect flow replace usage of decodeURIComponent(url) with
the raw value from URLSearchParams.get('url') and pass that directly into
validateOAuthRedirectUrl, i.e., remove the decode step around the string
returned by URLSearchParams.get and then, if validateOAuthRedirectUrl(validated)
returns a URL, assign it to window.location.href; update the logic in the
component around the validateOAuthRedirectUrl call to use the raw url variable
instead of decodedUrl.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Show schemes currently accepted by the denylist-only validator logic.
node <<'NODE'
const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];

for (const value of [
  'file:///etc/passwd',
  'ftp://example.com/callback',
  'blob:https://example.com/00000000-0000-0000-0000-000000000000',
  'about:blank',
  'intent://scan/#Intent;scheme=zxing;end',
]) {
  const parsed = new URL(value);
  const accepted = !dangerousProtocols.includes(parsed.protocol.toLowerCase());
  console.log(`${value} -> protocol=${parsed.protocol}, accepted=${accepted}`);
}
NODE

Repository: sourcebot-dev/sourcebot

Length of output: 392

---

🏁 Script executed:

# Find the complete function and its usage
rg -A 15 "validateOAuthRedirectUrl" --type ts --type tsx

Repository: sourcebot-dev/sourcebot

Length of output: 94

---

🏁 Script executed:

# Check for OAuth-related configuration and allowed protocols
rg -i "oauth.*protocol|allowed.*protocol|redirect.*url" --type ts --type tsx -B 2 -A 2

Repository: sourcebot-dev/sourcebot

Length of output: 94

---

🏁 Script executed:

# Look for any additional URL validation happening elsewhere
rg "window.location|location.href|window.open" --type ts --type tsx | head -20

Repository: sourcebot-dev/sourcebot

Length of output: 94

---

🏁 Script executed:

# Find the complete function and its usage - search without file type restriction
rg -A 15 "validateOAuthRedirectUrl"

Repository: sourcebot-dev/sourcebot

Length of output: 13026

---

🏁 Script executed:

# Look at the full utils.ts file to see the complete function
cat -n packages/web/src/lib/utils.ts | sed -n '600,640p'

Repository: sourcebot-dev/sourcebot

Length of output: 916

---

🏁 Script executed:

# Check where this validation function is called
rg "validateOAuthRedirectUrl" -B 2 -A 2

Repository: sourcebot-dev/sourcebot

Length of output: 7623

---

Replace denylist with allowlist for OAuth redirect URL validation.

The implementation does not match its own documentation. Comments specify that http: is allowed only for localhost and custom protocols must be registered, but the code accepts any protocol except three. This allows unintended protocols like file://, ftp://, blob://, and intent:// to pass validation.

The tests are also incomplete—they don't verify rejection of http:// with non-localhost hosts or arbitrary custom protocols. Use an allowlist to enforce the documented constraints:

🛡️ Proposed protocol allowlist

 export const validateOAuthRedirectUrl = (url: string): string | null => {
     try {
         const parsed = new URL(url);
         const protocol = parsed.protocol.toLowerCase();
 
-        const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
-        if (dangerousProtocols.includes(protocol)) {
+        const allowedCustomProtocols = new Set(['cursor:', 'vscode:', 'claude:']);
+        const isLoopbackHttp =
+            protocol === 'http:' &&
+            ['localhost', '127.0.0.1', '[::1]'].includes(parsed.hostname);
+
+        if (
+            protocol !== 'https:' &&
+            !isLoopbackHttp &&
+            !allowedCustomProtocols.has(protocol)
+        ) {
             return null;
         }
 
         return parsed.toString();
     } catch {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export const validateOAuthRedirectUrl = (url: string): string | null => {
	try {
	const parsed = new URL(url);
	const protocol = parsed.protocol.toLowerCase();
	const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
	if (dangerousProtocols.includes(protocol)) {
	return null;
	}
	return parsed.toString();
	export const validateOAuthRedirectUrl = (url: string): string | null => {
	try {
	const parsed = new URL(url);
	const protocol = parsed.protocol.toLowerCase();
	const allowedCustomProtocols = new Set(['cursor:', 'vscode:', 'claude:']);
	const isLoopbackHttp =
	protocol === 'http:' &&
	['localhost', '127.0.0.1', '[::1]'].includes(parsed.hostname);
	if (
	protocol !== 'https:' &&
	!isLoopbackHttp &&
	!allowedCustomProtocols.has(protocol)
	) {
	return null;
	}
	return parsed.toString();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/lib/utils.ts` around lines 608 - 618,
validateOAuthRedirectUrl currently uses a denylist of protocols which allows
unsafe schemes; replace it with an explicit allowlist: permit "https:" always,
permit "http:" only when hostname is "localhost", "127.0.0.1" or "::1" (allow
optional ports), and permit only well-known registered custom schemes if your
app supports them (otherwise reject other schemes); update the function
validateOAuthRedirectUrl to parse the URL, check protocol against this
allowlist, enforce the http host restriction, and return null for any other
schemes (ensuring blob:, file:, ftp:, intent:, etc. are rejected).

[github-actions]

@msukkari your pull request is missing a changelog!

[coderabbitai]

♻️ Duplicate comments (1)

packages/web/src/lib/utils.ts (1)

598-611: ⚠️ Potential issue | 🟠 Major

Denylist-only validation still permits unsafe schemes (e.g., file:, ftp:, blob:, intent:).

The function's JSDoc and PR description describe allowing only http:, https:, and known custom app protocols (cursor:, vscode:, claude:), but the implementation only rejects three protocols and accepts everything else. Schemes like file://, ftp://, blob:, about:, and intent:// pass through, which weakens the XSS/open-redirect hardening this PR is intended to provide. Note also that resolveCallbackUrl in packages/web/src/ee/features/oauth/actions.ts already wraps non-http(s) callbacks in /oauth/complete?url=..., so the values flowing into this validator at the consent screen are expected to be http:/https: or the /oauth/complete path — an allowlist would match that contract more tightly.

Switching to an explicit allowlist would also make the existing unit tests meaningful (they currently don't cover rejection of arbitrary unknown schemes).

🛡️ Proposed allowlist

 export const validateOAuthRedirectUrl = (url: string): string | null => {
     try {
         const parsed = new URL(url);
         const protocol = parsed.protocol.toLowerCase();
 
-        const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
-        if (dangerousProtocols.includes(protocol)) {
+        const allowedCustomProtocols = new Set(['cursor:', 'vscode:', 'claude:']);
+        const isLoopbackHttp =
+            protocol === 'http:' &&
+            ['localhost', '127.0.0.1', '[::1]'].includes(parsed.hostname);
+
+        if (
+            protocol !== 'https:' &&
+            !isLoopbackHttp &&
+            !allowedCustomProtocols.has(protocol)
+        ) {
             return null;
         }
 
         return parsed.toString();
     } catch {
         return null;
     }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/lib/utils.ts` around lines 598 - 611, The current denylist
in validateOAuthRedirectUrl still permits unsafe schemes; change it to an
explicit allowlist: accept relative callback paths that start with
"/oauth/complete" as-is, otherwise parse the input with new URL and only allow
protocols 'http:', 'https:', and the known app protocols 'cursor:', 'vscode:',
'claude:'; return null for anything else or on parse failure. Update
validateOAuthRedirectUrl (and adjust related tests) so resolveCallbackUrl's
contract (http(s) or /oauth/complete) is enforced by allowing only those
protocols/paths.

🧹 Nitpick comments (1)

packages/web/src/lib/utils.ts (1)

604-606: Consider documenting or testing control character handling in URL scheme validation.

The WHATWG URL parser normalizes embedded control characters (tab, newline, carriage return) in the scheme by stripping them silently. For example, "java\tscript:alert(1)" parses successfully as protocol "javascript:", which is then correctly caught by the existing dangerousProtocols check. While the code is currently protected, adding a test case like "java\tscript:alert(1)" or a brief comment explaining reliance on WHATWG normalization would document this behavior and prevent future regressions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/lib/utils.ts` around lines 604 - 606, Add a brief comment
next to the dangerousProtocols check explaining that WHATWG URL parsing
normalizes and strips embedded control characters in schemes (e.g.,
"java\tscript:alert(1)"), and add unit tests that assert such inputs parse to
"javascript:" and are rejected by the existing check; specifically, update the
tests exercising the conditional that references dangerousProtocols and the
protocol variable (the block containing "if
(dangerousProtocols.includes(protocol)) { return null; }") to include cases with
tabs, newlines, and carriage returns in the scheme to prevent regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@packages/web/src/lib/utils.ts`:
- Around line 598-611: The current denylist in validateOAuthRedirectUrl still
permits unsafe schemes; change it to an explicit allowlist: accept relative
callback paths that start with "/oauth/complete" as-is, otherwise parse the
input with new URL and only allow protocols 'http:', 'https:', and the known app
protocols 'cursor:', 'vscode:', 'claude:'; return null for anything else or on
parse failure. Update validateOAuthRedirectUrl (and adjust related tests) so
resolveCallbackUrl's contract (http(s) or /oauth/complete) is enforced by
allowing only those protocols/paths.

---

Nitpick comments:
In `@packages/web/src/lib/utils.ts`:
- Around line 604-606: Add a brief comment next to the dangerousProtocols check
explaining that WHATWG URL parsing normalizes and strips embedded control
characters in schemes (e.g., "java\tscript:alert(1)"), and add unit tests that
assert such inputs parse to "javascript:" and are rejected by the existing
check; specifically, update the tests exercising the conditional that references
dangerousProtocols and the protocol variable (the block containing "if
(dangerousProtocols.includes(protocol)) { return null; }") to include cases with
tabs, newlines, and carriage returns in the scheme to prevent regressions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a3738c9-6834-48ed-9d63-b0dedf5c90db

📥 Commits

Reviewing files that changed from the base of the PR and between 6cfe552 and c09a4cd.

📒 Files selected for processing (2)

• packages/web/src/app/oauth/authorize/components/consentScreen.tsx
• packages/web/src/lib/utils.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/web/src/app/oauth/authorize/components/consentScreen.tsx