Allow subdomain redirects in tracking logic

emark/views.py

@@ -1,5 +1,8 @@
+from urllib.parse import urlparse
+
 from django import http
-from django.utils.http import url_has_allowed_host_and_scheme
+from django.conf import settings
+from django.http.request import split_domain_port, validate_host
 from django.views import View
 from django.views.generic.detail import SingleObjectMixin
 
@@ -45,10 +48,21 @@ def get(self, request, *args, **kwargs):
         # The redirect_to URL is user-provided, so it might be malicious
         # or malformed. We use Django's URL validation to ensure that it
         # is safe to redirect to.
-        if not url_has_allowed_host_and_scheme(
-            url=redirect_to,
-            allowed_hosts=request.get_host(),
-            require_https=request.is_secure(),
+        parsed_url = urlparse(redirect_to)
+        domain, _port = split_domain_port(parsed_url.netloc)
+        allowed_hosts = settings.ALLOWED_HOSTS
+        if settings.DEBUG:
+            allowed_hosts = settings.ALLOWED_HOSTS + [
+                ".localhost",
+                "127.0.0.1",
+                "[::1]",
+            ]
+        if any(
+            [
+                not domain,
+                not validate_host(domain, allowed_hosts),
+                request.scheme != parsed_url.scheme,
+            ]
         ):
             return http.HttpResponseBadRequest("Missing url or malformed parameter")
 

tests/test_views.py

@@ -51,6 +51,41 @@ def test_get__unsafe_redirect_url(self, client, live_server):
         response = client.get(url)
         assert response.status_code == 400
 
+    @pytest.mark.django_db
+    def test_get__different_schema_redirect_url(self, client, live_server):
+        msg = baker.make("emark.Send")
+        redirect_url = "https://sub.testserver/?utm_source=foo"
+
+        url = reverse("emark:email-click", kwargs={"pk": msg.pk})
+
+        url = f"{url}?{urlencode({'url': redirect_url})}"
+        response = client.get(url)
+        assert response.status_code == 400
+
+    @pytest.mark.django_db
+    def test_get__subdomain_redirect_url(self, client, live_server, settings):
+        settings.ALLOWED_HOSTS = ["testserver", ".testserver"]
+        msg = baker.make("emark.Send")
+        redirect_url = "http://sub.testserver/?utm_source=foo"
+
+        url = reverse("emark:email-click", kwargs={"pk": msg.pk})
+
+        url = f"{url}?{urlencode({'url': redirect_url})}"
+        response = client.get(url)
+        assert response.status_code == 302
+
+    @pytest.mark.django_db
+    def test_get__subdomain_debug(self, client, live_server, settings):
+        settings.DEBUG = True
+        msg = baker.make("emark.Send")
+        redirect_url = "http://sub.localhost/?utm_source=foo"
+
+        url = reverse("emark:email-click", kwargs={"pk": msg.pk})
+
+        url = f"{url}?{urlencode({'url': redirect_url})}"
+        response = client.get(url)
+        assert response.status_code == 302
+
     @pytest.mark.django_db
     def test_get__no_email(self, client):
         response = client.get(reverse("emark:email-click", kwargs={"pk": uuid.uuid4()}))