From d0be29e25732c410b561cbc3c5607c3c1d4b6c8e Mon Sep 17 00:00:00 2001
From: Baptiste Arnaud <contact@baptiste-arnaud.fr>
Date: Mon, 25 Mar 2024 19:11:39 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Use=20sanitizeUrl=20on=20redirec?=
 =?UTF-8?q?tPath=20auth=20param=20(#1389)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/builder/package.json                                | 1 +
 apps/builder/src/features/auth/components/SignInForm.tsx | 5 ++++-
 pnpm-lock.yaml                                           | 7 +++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/apps/builder/package.json b/apps/builder/package.json
index 683a59437..0d8a15ba3 100644
--- a/apps/builder/package.json
+++ b/apps/builder/package.json
@@ -13,6 +13,7 @@
     "format:check": "prettier --check ./src"
   },
   "dependencies": {
+    "@braintree/sanitize-url": "7.0.1",
     "@chakra-ui/anatomy": "2.1.1",
     "@chakra-ui/react": "2.7.1",
     "@chakra-ui/theme-tools": "2.0.18",
diff --git a/apps/builder/src/features/auth/components/SignInForm.tsx b/apps/builder/src/features/auth/components/SignInForm.tsx
index c850dcad8..85689f16d 100644
--- a/apps/builder/src/features/auth/components/SignInForm.tsx
+++ b/apps/builder/src/features/auth/components/SignInForm.tsx
@@ -28,10 +28,12 @@ import { useToast } from '@/hooks/useToast'
 import { TextLink } from '@/components/TextLink'
 import { SignInError } from './SignInError'
 import { useTranslate } from '@tolgee/react'
+import { sanitizeUrl } from '@braintree/sanitize-url'
 
 type Props = {
   defaultEmail?: string
 }
+
 export const SignInForm = ({
   defaultEmail,
 }: Props & HTMLChakraProps<'form'>) => {
@@ -55,7 +57,8 @@ export const SignInForm = ({
 
   useEffect(() => {
     if (status === 'authenticated') {
-      router.replace(router.query.redirectPath?.toString() ?? '/typebots')
+      const redirectPath = router.query.redirectPath?.toString()
+      router.replace(redirectPath ? sanitizeUrl(redirectPath) : '/typebots')
       return
     }
     ;(async () => {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index e97270737..c0195c2d7 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -29,6 +29,9 @@ importers:
 
   apps/builder:
     dependencies:
+      '@braintree/sanitize-url':
+        specifier: 7.0.1
+        version: 7.0.1
       '@chakra-ui/anatomy':
         specifier: 2.1.1
         version: 2.1.1
@@ -3334,6 +3337,10 @@ packages:
     resolution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==}
     dev: true
 
+  /@braintree/sanitize-url@7.0.1:
+    resolution: {integrity: sha512-URg8UM6lfC9ZYqFipItRSxYJdgpU5d2Z4KnjsJ+rj6tgAmGme7E+PQNCiud8g0HDaZKMovu2qjfa0f5Ge0Vlsg==}
+    dev: false
+
   /@chakra-ui/accordion@2.2.0(@chakra-ui/system@2.5.8)(framer-motion@10.12.20)(react@18.2.0):
     resolution: {integrity: sha512-2IK1iLzTZ22u8GKPPPn65mqJdZidn4AvkgAbv17ISdKA07VHJ8jSd4QF1T5iCXjKfZ0XaXozmhP4kDhjwF2IbQ==}
     peerDependencies: