From f2ced20c420c827f5c2ebf1fb405b35056687914 Mon Sep 17 00:00:00 2001
From: Nicolas Dorier <nicolas.dorier@gmail.com>
Date: Thu, 2 Feb 2023 09:42:58 +0900
Subject: [PATCH] Fix a bunch of open redirect (#4575)

---
 BTCPayServer.Tests/SeleniumTester.cs                |  1 -
 BTCPayServer/Extensions/UrlHelperExtensions.cs      | 13 +++++++++++++
 .../StoreViewModels/RecoverySeedBackupViewModel.cs  |  3 ++-
 BTCPayServer/Views/Shared/ConfirmModal.cshtml       |  2 +-
 BTCPayServer/Views/Shared/PostRedirect.cshtml       |  2 +-
 BTCPayServer/Views/UIHome/RecoverySeedBackup.cshtml |  4 ++--
 BTCPayServer/Views/UIStores/WalletSettings.cshtml   |  4 ++--
 BTCPayServer/Views/UIWallets/SignWithSeed.cshtml    |  4 ++--
 BTCPayServer/Views/UIWallets/WalletPSBT.cshtml      |  4 ++--
 .../Views/UIWallets/WalletPSBTCombine.cshtml        |  4 ++--
 .../Views/UIWallets/WalletPSBTDecoded.cshtml        |  4 ++--
 BTCPayServer/Views/UIWallets/WalletReceive.cshtml   |  4 ++--
 BTCPayServer/Views/UIWallets/WalletSend.cshtml      |  4 ++--
 BTCPayServer/Views/UIWallets/WalletSendVault.cshtml |  4 ++--
 .../Views/UIWallets/WalletSigningOptions.cshtml     |  4 ++--
 15 files changed, 37 insertions(+), 24 deletions(-)

diff --git a/BTCPayServer.Tests/SeleniumTester.cs b/BTCPayServer.Tests/SeleniumTester.cs
index dc68d68bb..a6bb5fb29 100644
--- a/BTCPayServer.Tests/SeleniumTester.cs
+++ b/BTCPayServer.Tests/SeleniumTester.cs
@@ -203,7 +203,6 @@ namespace BTCPayServer.Tests
         {
             var isImport = !string.IsNullOrEmpty(seed);
             GoToWalletSettings(cryptoCode);
-
             // Replace previous wallet case
             if (Driver.PageSource.Contains("id=\"ChangeWalletLink\""))
             {
diff --git a/BTCPayServer/Extensions/UrlHelperExtensions.cs b/BTCPayServer/Extensions/UrlHelperExtensions.cs
index 0dafbf989..70426808e 100644
--- a/BTCPayServer/Extensions/UrlHelperExtensions.cs
+++ b/BTCPayServer/Extensions/UrlHelperExtensions.cs
@@ -1,4 +1,5 @@
 
+using System;
 using BTCPayServer;
 using BTCPayServer.Client.Models;
 using BTCPayServer.Controllers;
@@ -10,6 +11,18 @@ namespace Microsoft.AspNetCore.Mvc
 {
     public static class UrlHelperExtensions
     {
+#nullable enable
+        public static string? EnsureLocal(this IUrlHelper helper, string? url, HttpRequest? httpRequest = null)
+        {
+            if (url is null || helper.IsLocalUrl(url))
+                return url;
+            if (httpRequest is null)
+                return null;
+            if (Uri.TryCreate(url, UriKind.Absolute, out var r) && r.Host.Equals(httpRequest.Host.Host))
+                return url;
+            return null;
+        }
+#nullable restore
         public static string EmailConfirmationLink(this LinkGenerator urlHelper, string userId, string code, string scheme, HostString host, string pathbase)
         {
             return urlHelper.GetUriByAction(nameof(UIAccountController.ConfirmEmail), "UIAccount",
diff --git a/BTCPayServer/Models/StoreViewModels/RecoverySeedBackupViewModel.cs b/BTCPayServer/Models/StoreViewModels/RecoverySeedBackupViewModel.cs
index 1b7f58ccc..412b5c1f9 100644
--- a/BTCPayServer/Models/StoreViewModels/RecoverySeedBackupViewModel.cs
+++ b/BTCPayServer/Models/StoreViewModels/RecoverySeedBackupViewModel.cs
@@ -1,3 +1,4 @@
+using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using Microsoft.AspNetCore.Http;
@@ -16,7 +17,7 @@ namespace BTCPayServer.Models.StoreViewModels
 
         public string[] Words
         {
-            get => Mnemonic.Split((char[])null, System.StringSplitOptions.RemoveEmptyEntries);
+            get => Mnemonic?.Split((char[])null, System.StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>();
         }
     }
 }
diff --git a/BTCPayServer/Views/Shared/ConfirmModal.cshtml b/BTCPayServer/Views/Shared/ConfirmModal.cshtml
index 8549f8a66..5658f64bf 100644
--- a/BTCPayServer/Views/Shared/ConfirmModal.cshtml
+++ b/BTCPayServer/Views/Shared/ConfirmModal.cshtml
@@ -32,7 +32,7 @@
 
         @if (!string.IsNullOrEmpty(Model.Action))
         {
-            <form id="ConfirmForm" method="post" action="@actionUrl" rel="noreferrer noopener">
+            <form id="ConfirmForm" method="post" action="@Url.EnsureLocal(actionUrl)" rel="noreferrer noopener">
                 <div class="modal-body pt-0" id="ConfirmText" hidden>
                     <label for="ConfirmInput" class="form-label">Confirm the action by typing <strong id="ConfirmInputText"></strong>:</label>
                     <input id="ConfirmInput" class="form-control"/>
diff --git a/BTCPayServer/Views/Shared/PostRedirect.cshtml b/BTCPayServer/Views/Shared/PostRedirect.cshtml
index efa45384c..8bce227b8 100644
--- a/BTCPayServer/Views/Shared/PostRedirect.cshtml
+++ b/BTCPayServer/Views/Shared/PostRedirect.cshtml
@@ -38,7 +38,7 @@
 	}
 	else
 	{
-		<form method="post" id="postform" action="@Model.FormUrl" rel="noreferrer noopener">
+		<form method="post" id="postform" action="@Url.EnsureLocal(Model.FormUrl, this.Context.Request)" rel="noreferrer noopener">
 			@Html.AntiForgeryToken()
 			@foreach (var o in Model.FormParameters)
 			{
diff --git a/BTCPayServer/Views/UIHome/RecoverySeedBackup.cshtml b/BTCPayServer/Views/UIHome/RecoverySeedBackup.cshtml
index d02fc2468..bf4a6f8f4 100644
--- a/BTCPayServer/Views/UIHome/RecoverySeedBackup.cshtml
+++ b/BTCPayServer/Views/UIHome/RecoverySeedBackup.cshtml
@@ -73,7 +73,7 @@
         </div>
         @if (Model.RequireConfirm)
         {
-            <form id="RecoveryConfirmation" action="@Model.ReturnUrl" class="position-relative d-flex align-items-start justify-content-center" style="margin-top:4rem;padding-bottom: 80px" rel="noreferrer noopener">
+            <form id="RecoveryConfirmation" action="@Url.EnsureLocal(Model.ReturnUrl)" class="position-relative d-flex align-items-start justify-content-center" style="margin-top:4rem;padding-bottom: 80px" rel="noreferrer noopener">
                 <label class="form-check-label lead order-2" for="confirm">I have written down my recovery phrase and stored it in a secure location</label>
                 <input type="checkbox" class="me-3 order-1 form-check-input" id="confirm" style="margin-top:.35rem;flex-shrink:0">
                 <button type="submit" class="btn btn-primary btn-lg px-5 order-3" id="submit">Done</button>
@@ -82,7 +82,7 @@
         }
         else
         {
-            <a href="@Model.ReturnUrl" class="btn btn-primary btn-lg mt-3 px-5 order-3" id="proceed" rel="noreferrer noopener">Done</a>
+            <a href="@Url.EnsureLocal(Model.ReturnUrl)" class="btn btn-primary btn-lg mt-3 px-5 order-3" id="proceed" rel="noreferrer noopener">Done</a>
         }
     </div>
 </div>
diff --git a/BTCPayServer/Views/UIStores/WalletSettings.cshtml b/BTCPayServer/Views/UIStores/WalletSettings.cshtml
index 746eafe94..fcbea8507 100644
--- a/BTCPayServer/Views/UIStores/WalletSettings.cshtml
+++ b/BTCPayServer/Views/UIStores/WalletSettings.cshtml
@@ -52,7 +52,7 @@
                            data-bs-toggle="modal"
                            data-bs-target="#ConfirmModal"
                            data-title="Replace @Model.CryptoCode wallet"
-                           data-description="@Html.Encode(ViewData["ReplaceDescription"])"
+                           data-description="@ViewData["ReplaceDescription"]"
                            data-confirm="Setup new wallet"
                            data-confirm-input="REPLACE">
                             Replace wallet
@@ -64,7 +64,7 @@
                                     data-bs-toggle="modal"
                                     data-bs-target="#ConfirmModal"
                                     data-title="Remove @Model.CryptoCode wallet"
-                                    data-description="@Html.Encode(ViewData["RemoveDescription"])"
+                                    data-description="@ViewData["RemoveDescription"]"
                                     data-confirm="Remove"
                                     data-confirm-input="REMOVE">Remove wallet</button>
                         </form>
diff --git a/BTCPayServer/Views/UIWallets/SignWithSeed.cshtml b/BTCPayServer/Views/UIWallets/SignWithSeed.cshtml
index e68d8c2df..bc1e73dda 100644
--- a/BTCPayServer/Views/UIWallets/SignWithSeed.cshtml
+++ b/BTCPayServer/Views/UIWallets/SignWithSeed.cshtml
@@ -11,11 +11,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletPSBT.cshtml b/BTCPayServer/Views/UIWallets/WalletPSBT.cshtml
index 08507f37a..95a69e9a1 100644
--- a/BTCPayServer/Views/UIWallets/WalletPSBT.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletPSBT.cshtml
@@ -11,11 +11,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletPSBTCombine.cshtml b/BTCPayServer/Views/UIWallets/WalletPSBTCombine.cshtml
index 9e66b1fab..cf340e054 100644
--- a/BTCPayServer/Views/UIWallets/WalletPSBTCombine.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletPSBTCombine.cshtml
@@ -11,11 +11,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletPSBTDecoded.cshtml b/BTCPayServer/Views/UIWallets/WalletPSBTDecoded.cshtml
index 06ad3b033..30757ad27 100644
--- a/BTCPayServer/Views/UIWallets/WalletPSBTDecoded.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletPSBTDecoded.cshtml
@@ -75,11 +75,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletReceive.cshtml b/BTCPayServer/Views/UIWallets/WalletReceive.cshtml
index 8841e4713..184725eb3 100644
--- a/BTCPayServer/Views/UIWallets/WalletReceive.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletReceive.cshtml
@@ -1,4 +1,4 @@
-@inject BTCPayServer.Services.BTCPayServerEnvironment env
+@inject BTCPayServer.Services.BTCPayServerEnvironment env
 @using BTCPayServer.Controllers
 @using BTCPayServer.Components.QRCode
 @model BTCPayServer.Controllers.WalletReceiveViewModel
@@ -15,7 +15,7 @@
 }
 
 @section Navbar {
-    <a href="@returnUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(returnUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletSend.cshtml b/BTCPayServer/Views/UIWallets/WalletSend.cshtml
index ca59133b4..d0df9a394 100644
--- a/BTCPayServer/Views/UIWallets/WalletSend.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletSend.cshtml
@@ -14,11 +14,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletSendVault.cshtml b/BTCPayServer/Views/UIWallets/WalletSendVault.cshtml
index 394998319..184e34081 100644
--- a/BTCPayServer/Views/UIWallets/WalletSendVault.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletSendVault.cshtml
@@ -11,11 +11,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }
diff --git a/BTCPayServer/Views/UIWallets/WalletSigningOptions.cshtml b/BTCPayServer/Views/UIWallets/WalletSigningOptions.cshtml
index 0e2bae871..2c4652a49 100644
--- a/BTCPayServer/Views/UIWallets/WalletSigningOptions.cshtml
+++ b/BTCPayServer/Views/UIWallets/WalletSigningOptions.cshtml
@@ -12,11 +12,11 @@
 @section Navbar {
     @if (backUrl != null)
     {
-        <a href="@backUrl" id="GoBack">
+        <a href="@Url.EnsureLocal(backUrl)" id="GoBack">
             <vc:icon symbol="back" />
         </a>
     }
-    <a href="@cancelUrl" id="CancelWizard" class="cancel">
+    <a href="@Url.EnsureLocal(cancelUrl)" id="CancelWizard" class="cancel">
         <vc:icon symbol="close" />
     </a>
 }