Harden `django.shortcuts.redirect` to validate redirect URL

[RealOrangeOne]

Code of Conduct

• I agree to follow Django's Code of Conduct

Feature Description

I suggest extending the redirect shortcut with a few additional (opt-in) arguments to validate the URL being redirected to. Notably:

• allowed_hosts, to specify hosts that the URL can be redirected to (or [] to require only a path-based redirect)
• require_https, to ensure the redirect stays secure

Following that validation, iri_to_uri would be run on the path to ensure it's correctly encoded before being passed to the response.

Problem

Following a conversation on the forum, it was noted that Django's url_has_allowed_host_and_scheme is an internal API, despite being a core piece of functionality when validating a user's redirect API (eg the next query param).

def my_view(request):
    next_url = request.GET.get('next')
    
    if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=["example.com"], require_https=request.is_secure()):
        return redirect(next_url)
    
    return redirect("/")

I believe this pattern performs all the validation, however it's easy to mess up:

• url_has_allowed_host_and_scheme isn't publicly documented, therefore has no stability guarantees (sort of)
• Someone could easily skip redirect and just build a HttpResponse and set a Location header on it (unlikely, but probably happens)
• People may forget that it's possible redirect https -> http.

Request or proposal

proposal

Additional Details

As Carlton correctly points out on the forum thread, validation is multi-step, and you need all of them to pass. That's why I don't think making url_has_allowed_host_and_scheme public is necessarily the right solution. Instead, a single public API ensures all steps of the validation are performed, so one can't be missed or forgotten.

Implementation Suggestions

Many of the building blocks are already there in url_has_allowed_host_and_scheme, they just need to be used.

If not passed, the validation should not be applied, so as not to be a breaking change to redirect.

---

These thoughts are my own, and not necessarily of the wider Security Team.

[github-actions]

Thank you RealOrangeOne for sharing your idea! We have a lot of them so please be patient. You can see the current queue here.

Community instructions

For commenters, please use the emoji reactions on the issue to express support, and/or concern easily. Please use the comments to ask questions or contribute knowledge about the idea. It is unhelpful to post comments of "I'd love this" or "What's the state of this?"

Reaction Guide

• 👍 This is something I would use
• 👎 This is something that would cause problems for me or Django
• 😕 I’m indifferent to this
• 🎉 This is an easy win

[carltongibson]

I’m sceptical about this. Doing it totally generically is hard. In contrast for a given site it’s usually trivial to know if a URL should be allowed — either relative only, most usually, or one, or few, specific host and scheme option(s). It’s much simpler and much easier to audit for folks to just do that simple check themselves. (Rather than Django open up a slow bleed of difficult to handle edge cases.)

“Check your URL with logic appropriate to your app and then use the provided redirect classes” is clear and easy.