From 16fc5c32ac0de379c930ecccedefe1bc3252cbd9 Mon Sep 17 00:00:00 2001
From: Krzysztof Pajak <krzysiek@grandnode.com>
Date: Fri, 4 Oct 2024 19:11:44 +0200
Subject: [PATCH] Fix code scanning alert no. 234: URL redirection from remote
 source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/Web/Grand.Web/Controllers/CommonController.cs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/Web/Grand.Web/Controllers/CommonController.cs b/src/Web/Grand.Web/Controllers/CommonController.cs
index 19c4a9d0c..839989cb1 100644
--- a/src/Web/Grand.Web/Controllers/CommonController.cs
+++ b/src/Web/Grand.Web/Controllers/CommonController.cs
@@ -270,8 +270,11 @@ public virtual async Task<IActionResult> SetStore(
         if (string.IsNullOrEmpty(returnUrl))
             returnUrl = Url.RouteUrl("HomePage");
 
+        // List of valid URLs
+        var validUrls = new List<string> { Url.RouteUrl("HomePage"), Url.RouteUrl("AnotherSafePage") };
+
         //prevent open redirection attack
-        if (!Url.IsLocalUrl(returnUrl))
+        if (!Url.IsLocalUrl(returnUrl) || !validUrls.Contains(returnUrl))
             returnUrl = Url.RouteUrl("HomePage");
 
         return Redirect(returnUrl);
@@ -292,8 +295,11 @@ public virtual async Task<IActionResult> SetTaxType(
         if (string.IsNullOrEmpty(returnUrl))
             returnUrl = Url.RouteUrl("HomePage");
 
+        // List of valid URLs
+        var validUrls = new List<string> { Url.RouteUrl("HomePage"), Url.RouteUrl("AnotherSafePage") };
+
         //prevent open redirection attack
-        if (!Url.IsLocalUrl(returnUrl))
+        if (!Url.IsLocalUrl(returnUrl) || !validUrls.Contains(returnUrl))
             returnUrl = Url.RouteUrl("HomePage");
 
         //whether customers are allowed to select tax display type
@@ -328,8 +334,11 @@ public virtual async Task<IActionResult> SetStoreTheme(
         if (string.IsNullOrEmpty(returnUrl))
             returnUrl = Url.RouteUrl("HomePage");
 
+        // List of valid URLs
+        var validUrls = new List<string> { Url.RouteUrl("HomePage"), Url.RouteUrl("AnotherSafePage") };
+
         //prevent open redirection attack
-        if (!Url.IsLocalUrl(returnUrl))
+        if (!Url.IsLocalUrl(returnUrl) || !validUrls.Contains(returnUrl))
             returnUrl = Url.RouteUrl("HomePage");
 
         return Redirect(returnUrl);