hackclub · Luke-Oldenburg · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
@@ -1407,7 +1407,7 @@ def referral_programs
   end
 
   def referral_program_create
-    @referral_program = Referral::Program.new(name: params[:name], creator: current_user)
+    @referral_program = Referral::Program.new(name: params[:name], redirect_to: params[:redirect_to], creator: current_user)
 
     if @referral_program.save
       flash[:success] = "Referral program created successfully."

diff --git a/app/controllers/referral/links_controller.rb b/app/controllers/referral/links_controller.rb
@@ -17,11 +17,13 @@
         Rails.error.handle do
           Referral::Attribution.create!(user: current_user, program: @link.program, link: @link)
         end
+
+        redirect_to @link.program.redirect_to.presence || root_path, allow_other_host: true
       else
         skip_authorization
-      end
 
-      redirect_to params[:return_to] || root_path
+        redirect_to params[:return_to] || root_path
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require 'uri'
+
 module Referral
  class LinksController < ApplicationController
    before_action :set_link, only: :show
@@ -22,7 +24,7 @@
      else
        skip_authorization
-        redirect_to params[:return_to] || root_path
+        redirect_to sanitize_return_to
      end
    end
@@ -32,5 +34,23 @@
      @link = Referral::Link.find_by(slug: params[:id]).presence || Referral::Link.find_by_hashid(params[:id])
    end
+    # Only allow redirection to a safe internal path.
+    def sanitize_return_to
+      return_to = params[:return_to]
+      return root_path unless return_to.present?
+
+      begin
+        uri = URI.parse(return_to)
+        # Allow only relative paths (no scheme or host)
+        if uri.host.nil? && uri.scheme.nil? && uri.path.present? && return_to.starts_with?('/')
+          return return_to
+        else
+          return root_path
+        end
+      rescue URI::InvalidURIError
+        root_path
+      end
+    end
+
  end
 end
@@ -1,5 +1,7 @@
 # frozen_string_literal: true

+require 'uri'
+
 module Referral
  class LinksController < ApplicationController
    before_action :set_link, only: :show
@@ -22,7 +24,7 @@
      else
        skip_authorization

-        redirect_to params[:return_to] || root_path
+        redirect_to sanitize_return_to
      end
    end

@@ -32,5 +34,23 @@
      @link = Referral::Link.find_by(slug: params[:id]).presence || Referral::Link.find_by_hashid(params[:id])
    end

+    # Only allow redirection to a safe internal path.
+    def sanitize_return_to
+      return_to = params[:return_to]
+      return root_path unless return_to.present?
+
+      begin
+        uri = URI.parse(return_to)
+        # Allow only relative paths (no scheme or host)
+        if uri.host.nil? && uri.scheme.nil? && uri.path.present? && return_to.starts_with?('/')
+          return return_to
+        else
+          return root_path
+        end
+      rescue URI::InvalidURIError
+        root_path
+      end
+    end
+
  end
 end
+      end
     end
 
     private

diff --git a/app/models/referral/program.rb b/app/models/referral/program.rb
@@ -10,6 +10,7 @@
 #  login_header_text    :string
 #  login_text_color     :string
 #  name                 :string           not null
+#  redirect_to          :string
 #  created_at           :datetime         not null
 #  updated_at           :datetime         not null
 #  creator_id           :bigint

diff --git a/app/views/admin/referral_programs.html.erb b/app/views/admin/referral_programs.html.erb
@@ -8,6 +8,7 @@
           <div class="flex flex-col">
             <h5 class="m-0 p-0"><%= program.name %></h5>
             <small class="text-muted"><%= program.created_at.strftime("%Y-%m-%d") %> • Created by <%= program.creator.name %></small>
+            <small class="text-muted">Redirects to: <%= link_to(program.redirect_to.presence || root_url) %></small>
           </div>
           <div class="flex flex-row gap-2 justify-between m-0">
             <span class="m-0"><%= pluralize(program.users.size, "user") %> • <%= pluralize(program.new_users.size, "new user") %></span>
@@ -65,7 +66,8 @@
     <legend>Create a referral program</legend>
     <%= form.label :name, "Program name" %>
     <%= form.text_field :name, placeholder: "Program Name", required: true, class: "w-100" %>
-    <br>
+    <%= form.label :redirect_to, "Redirect to (optional)" %>
+    <%= form.text_field :redirect_to, placeholder: "https://hcb.hackclub.com/", class: "w-100" %>
     <%= form.submit "Create", class: "btn bg-success" %>
   </fieldset>
 <% end %>
@@ -0,0 +1,5 @@
+class AddRedirectToToReferralPrograms < ActiveRecord::Migration[8.0]
+  def change
+    add_column :referral_programs, :redirect_to, :string
+  end
+end
@@ -12,7 +12,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_12_05_035167) do
+ActiveRecord::Schema[8.0].define(version: 2025_12_07_022849) do
   create_schema "google_sheets"
 
   # These are extensions that must be enabled in order to support this database
@@ -2010,6 +2010,7 @@
     t.string "login_header_text"
     t.string "login_text_color"
     t.string "name", null: false
+    t.string "redirect_to"
     t.datetime "updated_at", null: false
     t.index ["creator_id"], name: "index_referral_programs_on_creator_id"
   end