Merge to Master - September 11, 2025 #6477
Conversation
…sic) Part 2 for AB#16942 (#6473) * Update date position and add type to timeline entry card for AB#16942. * Normalize DIN/PIN with padded zeros in medication sttore for AB#16942. * Disable AppTour header access and update AppTour slides for AB#16942. * Disable local covid19TestResult and dependent timeline for AB#16942. * Update AppError v-app-bar border (Original change #6460) for AB#16942. * Update app tour's last tile's done button text for AB#16942.
…4. (#6475) * Update BC Cancer title and Timeline Entry mobile response for AB#16944. * Re-enable Covid19 report for dependent for AB#16943.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
* Fix sonar warnings for AB#16947. * Update patient data Redis script for DistributedCacheProvider (AB#16947) * Cropped out excess white space in landing-top image for AB#16947.
* Create Redirect controller
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| _ => "home", | ||
| }; | ||
|
|
||
| return this.Redirect($"{baseUrl}/{newPath}"); |
Check warning
Code scanning / CodeQL
URL redirection from remote source Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 27 days ago
To fix this issue, we should avoid constructing the redirect destination using potentially attacker-controlled values (Request.Scheme, Request.Host).
The best solution:
- Only issue redirects to relative URLs (e.g.,
/timeline), never to absolute URLs that include the scheme and hostname. - This avoids all "open redirect" risks from untrusted scheme/host data, as the browser remains on the site.
- The
Redirect()method in ASP.NET Core accepts both relative and absolute URLs; passing a relative path is safe.
What to do:
- On line 43, remove construction of
baseUrl, and only use the safe relative path in the redirect. - On line 55, change the destination to
"/" + newPath(relative path). - No new imports or library calls are needed; only change the composition of the redirect target.
| @@ -40,8 +40,8 @@ | ||
| [ApiExplorerSettings(IgnoreApi = true)] | ||
| public ActionResult MapRedirect(string oldPath) | ||
| { | ||
| var baseUrl = $"{this.Request.Scheme}://{this.Request.Host}"; | ||
|
|
||
|
|
||
| string newPath = oldPath?.ToLower(CultureInfo.InvariantCulture) switch | ||
| { | ||
| "timeline" => "timeline", | ||
| @@ -52,7 +51,7 @@ | ||
| _ => "home", | ||
| }; | ||
|
|
||
| return this.Redirect($"{baseUrl}/{newPath}"); | ||
| return this.Redirect($"/{newPath}"); | ||
| } | ||
| } | ||
| } |
2 participants
Fixes or Implements AB#nnnnn
Description
Merge to Master - September 11, 2025
Testing
UI Changes
Yes.
Notes
Items to Review: