From 128dcdd420c5d931d888cd19d8da88f221211605 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Do=C4=9Fukan=20=C3=9Crker?= <dogukanurker@icloud.com>
Date: Tue, 17 Dec 2024 14:49:37 +0300
Subject: [PATCH] Fix code scanning alert no. 102: URL redirection from remote
 source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 routes/login.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/routes/login.py b/routes/login.py
index e3aaa9ba..45d96633 100755
--- a/routes/login.py
+++ b/routes/login.py
@@ -41,7 +41,11 @@ def login(direct):
     Raises:
         401: If the login is unsuccessful.
     """
-    direct = direct.replace("&", "/")  # Convert direct link parameter
+    direct = direct.replace("&", "/").replace('\\', '')  # Convert direct link parameter and handle backslashes
+    from urllib.parse import urlparse  # Import urlparse for URL validation
+    if urlparse(direct).netloc or urlparse(direct).scheme:
+        # If the direct URL contains a host name or scheme, redirect to home page
+        direct = '/'
     match LOG_IN:
         case True:
             match "userName" in session:
@@ -49,7 +53,7 @@ def login(direct):
                     # If user is already logged in, redirect
                     Log.danger(f'User: "{session["userName"]}" already logged in')
                     return (
-                        redirect(direct),
+                        redirect(direct),  # Safe redirect after validation
                         301,
                     )
                 case False:
@@ -178,6 +182,6 @@ def login(direct):
                     )
         case False:
             return (
-                redirect(direct),
+                redirect(direct),  # Safe redirect after validation
                 301,
             )