Simplify redirect whitelist validation per PR review

dauglyon · dauglyon · commit 3bb3d5456873 · 2026-01-15T10:28:52.000-08:00
- Remove isValidWildcardPattern function (provided false sense of security)
- Trust whitelist as configured, only reject literal "*"
- Add default whitelist value (*.kbase.us) for local development
- Clarify .env header comment about config.json overwriting values
diff --git a/.env b/.env
@@ -1,5 +1,5 @@
-# Includes env defaults for local development,
-# for deploy enviroment configurations, see config.json
+# Defaults for local development only.
+# These values are overwritten by config.json when deployed.
 
 # Base URL path for the enviroment
 PUBLIC_URL = '/dev/'
@@ -16,7 +16,7 @@ REACT_APP_KBASE_BACKUP_COOKIE_NAME = 'test_kbase_backup_session'
 REACT_APP_KBASE_BACKUP_COOKIE_DOMAIN = 'localhost'
 
 # Comma-separated list of allowed external redirect domains (supports wildcards like *.berdl.kbase.us)
-REACT_APP_REDIRECT_WHITELIST = ''
+REACT_APP_REDIRECT_WHITELIST = '*.kbase.us'
 
 EXTEND_ESLINT=true
 SKIP_PREFLIGHT_CHECK=true
diff --git a/src/common/utils/redirectValidation.test.ts b/src/common/utils/redirectValidation.test.ts
@@ -1,6 +1,5 @@
 import {
   isExternalUrl,
-  isValidWildcardPattern,
   matchesWildcard,
   getRedirectWhitelist,
   isWhitelistedExternalUrl,
@@ -33,25 +32,6 @@ describe('isExternalUrl', () => {
   });
 });
 
-describe('isValidWildcardPattern', () => {
-  test('accepts exact domains', () => {
-    expect(isValidWildcardPattern('hub.berdl.kbase.us')).toBe(true);
-    expect(isValidWildcardPattern('example.com')).toBe(true);
-  });
-
-  test('accepts wildcards with 2+ domain parts', () => {
-    expect(isValidWildcardPattern('*.berdl.kbase.us')).toBe(true);
-    expect(isValidWildcardPattern('*.kbase.us')).toBe(true);
-    expect(isValidWildcardPattern('*.example.com')).toBe(true);
-  });
-
-  test('rejects TLD-only wildcards', () => {
-    expect(isValidWildcardPattern('*.com')).toBe(false);
-    expect(isValidWildcardPattern('*.us')).toBe(false);
-    expect(isValidWildcardPattern('*.org')).toBe(false);
-  });
-});
-
 describe('matchesWildcard', () => {
   test('matches exact domains', () => {
     expect(matchesWildcard('example.com', 'example.com')).toBe(true);
@@ -174,9 +154,14 @@ describe('isWhitelistedExternalUrl', () => {
     expect(isWhitelistedExternalUrl('')).toBe(false);
   });
 
-  test('returns false when pattern is too broad', () => {
+  test('returns false when whitelist contains literal asterisk', () => {
+    process.env.REACT_APP_REDIRECT_WHITELIST = '*';
+    expect(isWhitelistedExternalUrl('https://anything.com')).toBe(false);
+  });
+
+  test('allows broad wildcards like *.com when explicitly configured', () => {
     process.env.REACT_APP_REDIRECT_WHITELIST = '*.com';
-    expect(isWhitelistedExternalUrl('https://evil.com')).toBe(false);
+    expect(isWhitelistedExternalUrl('https://anything.com')).toBe(true);
   });
 
   test('works with multiple whitelist entries', () => {
diff --git a/src/common/utils/redirectValidation.ts b/src/common/utils/redirectValidation.ts
@@ -2,8 +2,7 @@
  * Utilities for validating external redirect URLs.
  *
  * External URLs must be HTTPS and match a whitelisted domain pattern.
- * Wildcards like *.berdl.kbase.us are supported, but TLD-only
- * wildcards (*.com, *.us) are rejected for security.
+ * Wildcards like *.berdl.kbase.us are supported. Literal "*" is rejected.
  */
 
 export const getRedirectWhitelist = (): string[] => {
@@ -14,18 +13,6 @@ export const getRedirectWhitelist = (): string[] => {
     .filter(Boolean);
 };
 
-/**
- * Validates that a wildcard pattern is not too broad.
- * Rejects patterns like *.com or *.co.uk that would match any domain.
- * Requires at least 2 domain parts after the wildcard.
- */
-export const isValidWildcardPattern = (pattern: string): boolean => {
-  if (!pattern.startsWith('*.')) return true; // exact domain, always valid
-  const withoutWildcard = pattern.slice(2);
-  const parts = withoutWildcard.split('.');
-  return parts.length >= 2; // e.g., *.berdl.kbase.us has 3 parts
-};
-
 /**
  * Checks if a hostname matches a domain pattern.
  * Supports wildcards: *.berdl.kbase.us matches hub.berdl.kbase.us
@@ -42,7 +29,7 @@ export const matchesWildcard = (hostname: string, pattern: string): boolean => {
  * Validates if a URL is whitelisted for external redirect.
  * - Must be HTTPS
  * - Must match a pattern in the whitelist
- * - Wildcard patterns must not be too broad
+ * - Rejects if whitelist contains literal "*"
  */
 export const isWhitelistedExternalUrl = (url: string): boolean => {
   try {
@@ -52,10 +39,11 @@ export const isWhitelistedExternalUrl = (url: string): boolean => {
     if (parsed.protocol !== 'https:') return false;
 
     const whitelist = getRedirectWhitelist();
-    return whitelist.some(
-      (pattern) =>
-        isValidWildcardPattern(pattern) &&
-        matchesWildcard(parsed.hostname, pattern)
+
+    if (whitelist.includes('*')) return false;
+
+    return whitelist.some((pattern) =>
+      matchesWildcard(parsed.hostname, pattern)
     );
   } catch {
     return false;
