fix: add resolvability check before redirecting to prevent insecure redirects after publishing

[theShinigami]

Description

After publishing, if there is a requested URL, it first checks if the requested URL is resolvable. If it is not, it defaults to the version list URL.

Related resources

• [bug] Insecure redirect after publishing etc. #421

Checklist

• I have opened this pull request against master
• I have added or modified the tests when changing logic
• I have followed the conventional commits guidelines to add meaningful information into the changelog
• I have read the contribution guidelines and I have joined #workgroup-pr-review on
  Slack to find a “pr review buddy” who is going to review my pull request.

Summary by Sourcery

Implement a resolvability check for requested URLs in the publish view to prevent insecure redirects after publishing. Update tests to cover scenarios with resolvable and non-resolvable URLs.

Bug Fixes:

• Add a resolvability check for requested URLs before redirecting after publishing to prevent insecure redirects.

Tests:

• Introduce a test to verify the behavior of the publish view when handling resolvable and non-resolvable redirect URLs.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR implements a security enhancement for the publish view redirect functionality. It adds a URL resolvability check before performing redirects after publishing content to prevent potential insecure redirects. If a requested redirect URL is not resolvable within the application, it falls back to the version list URL.

Sequence diagram for URL resolvability check before redirect

sequenceDiagram
    actor User
    participant Application
    participant URLResolver

    User->>Application: Publish content
    Application->>URLResolver: Check if requested URL is resolvable
    URLResolver-->>Application: URL is resolvable
    Application->>User: Redirect to requested URL

    alt URL not resolvable
        URLResolver-->>Application: URL not resolvable
        Application->>User: Redirect to version list URL
    end

Loading

File-Level Changes

Change	Details	Files
Added URL resolution validation in the publish view	Added URL resolvability check using resolve() function Implemented fallback to version_list_url when URL is not resolvable Maintained existing redirect behavior for resolvable URLs	djangocms_versioning/admin.py
Added comprehensive tests for URL redirect scenarios	Added test for publish view with no redirect URL Added test for publish view with resolvable redirect URL Added test for publish view with non-resolvable redirect URL	tests/test_admin.py

Possibly linked issues

• [bug] Insecure redirect after publishing etc. #421: The PR implements a resolvability check for redirects, directly addressing the issue of insecure redirects.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @theShinigami - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟢 Security: all looks good
• 🟡 Testing: 2 issues found
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (testing): Missing test cleanup for ON_PUBLISH_REDIRECT setting

The test modifies a global setting but doesn't restore it after the test. This could affect other tests. Consider using setUp/tearDown or storing the original value and restoring it at the end of the test, similar to how test_publish_view_redirects_according_to_settings does it.

[sourcery-ai]

issue (testing): Missing security-related test cases for redirect validation

Given that this is a security-related change to prevent insecure redirects, consider adding test cases for potentially malicious URLs (e.g., URLs with different schemes, URLs to external domains, URLs with special characters). This would help ensure the security aspect is properly tested.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.23%. Comparing base (f90c5b2) to head (0ad9e12).
Report is 35 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #436      +/-   ##
==========================================
+ Coverage   90.88%   91.23%   +0.35%     
==========================================
  Files          72       72              
  Lines        2546     2671     +125     
  Branches      361      308      -53     
==========================================
+ Hits         2314     2437     +123     
+ Misses        168      163       -5     
- Partials       64       71       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[fsbraun]

Hey @theShinigami ! Thanks for the PR! That's a good step in the right direction.

I have two comments:

• In the case of conf.ON_PUBLISH_REDIRECT not in ("preview", "published") the requested_redirect is not validated
• Also the published object's absolute url in line 1067 needs to be validated: Some custom object could return an invalid url.