Fix open redirect vulnerability

[JamesNK]

Description

Fix an open redirect vulnerability in ValidateTokenMiddleware. The returnUrl query parameter was used directly in Response.Redirect without validation, allowing an attacker to craft a login URL that redirects users to an external malicious site after authentication.

The fix adds an IsLocalUrl check (matching ASP.NET Core's IUrlHelper.IsLocalUrl logic) that only allows redirect URLs starting with / while rejecting protocol-relative (//) and backslash escape (/\) patterns. If validation fails, the middleware falls back to the default resources URL.

Unit tests are added covering absolute URLs (https://evil.com, http://evil.com), protocol-relative URLs (//evil.com), and backslash escape URLs (/\evil.com) for both Unsecured and BrowserToken auth modes.

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15952

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15952"

[Copilot]

Pull request overview

This PR addresses an open redirect vulnerability in ValidateTokenMiddleware by validating the returnUrl query parameter before redirecting, preventing redirects to external/malicious destinations after authentication.

Changes:

• Add a local-URL validation helper (IsLocalUrl) and gate redirects on it.
• Add unit tests covering several non-local returnUrl patterns (absolute, protocol-relative, and backslash-escape) for both Unsecured and BrowserToken auth modes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/Aspire.Dashboard/Model/ValidateTokenMiddleware.cs	Validates returnUrl via a local-URL check before calling Response.Redirect, otherwise falls back to the default resources URL.
tests/Aspire.Dashboard.Tests/Middleware/ValidateTokenMiddlewareTests.cs	Adds coverage ensuring malicious/non-local returnUrl inputs do not influence the post-login redirect target.

[radical]

Incomplete fix — Login.razor.cs has a parallel unvalidated redirect path

The middleware fix looks correct for the server-side Response.Redirect path, but there's a parallel code path in the Login Blazor page (Login.razor.cs) that uses ReturnUrl from the query string without any IsLocalUrl validation, preserving the same open redirect vulnerability through a different route.

The bypass (BrowserToken mode)

Attack URL: /login?returnUrl=https://evil.com (no t parameter)

When the t query parameter is absent in BrowserToken mode, the middleware falls through to _next(context) at line 67 of ValidateTokenMiddleware.cs without intercepting the request. The Login Blazor page then renders and reads ReturnUrl directly from the query string via [SupplyParameterFromQuery].

Two exploit paths in Login.razor.cs:

1. Already-authenticated user (line 62): OnInitializedAsync checks AuthenticationState, finds the user is authenticated, and calls NavigationManager.NavigateTo("https://evil.com", forceLoad: true) — immediate redirect to attacker site.

2. Manual token entry (line 94): User sees the normal login form, enters their valid token, JS calls /api/validatetoken (a separate endpoint that bypasses the /login middleware path), and on success calls NavigationManager.NavigateTo("https://evil.com", forceLoad: true) — redirect to attacker site after legitimate authentication.

Both paths use GetRedirectUrl() at line 111, which returns ReturnUrl ?? DashboardUrls.ResourcesUrl() with no validation.

Suggested fix

Apply the same IsLocalUrl check in GetRedirectUrl():

private string GetRedirectUrl()
{
    return ValidateTokenMiddleware.IsLocalUrl(ReturnUrl) ? ReturnUrl : DashboardUrls.ResourcesUrl();
}

Note: IsLocalUrl is already internal static, so it's accessible from within the same assembly.

[github-actions]

🎬 CLI E2E Test Recordings — 56 recordings uploaded (commit 67b01ab)

View recordings

Test	Recording
AddPackageInteractiveWhileAppHostRunningDetached	▶️ View Recording
AddPackageWhileAppHostRunningDetached	▶️ View Recording
AgentCommands_AllHelpOutputs_AreCorrect	▶️ View Recording
AgentInitCommand_DefaultSelection_InstallsSkillOnly	▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig	▶️ View Recording
AllPublishMethodsBuildDockerImages	▶️ View Recording
AspireAddPackageVersionToDirectoryPackagesProps	▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	▶️ View Recording
Banner_DisplayedOnFirstRun	▶️ View Recording
Banner_DisplayedWithExplicitFlag	▶️ View Recording
Banner_NotDisplayedWithNoLogoFlag	▶️ View Recording
CertificatesClean_RemovesCertificates	▶️ View Recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	▶️ View Recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate	▶️ View Recording
ConfigSetGet_CreatesNestedJsonFormat	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle	▶️ View Recording
CreateAndRunEmptyAppHostProject	▶️ View Recording
CreateAndRunJavaEmptyAppHostProject	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateAndRunTypeScriptEmptyAppHostProject	▶️ View Recording
CreateAndRunTypeScriptStarterProject	▶️ View Recording
CreateJavaAppHostWithViteApp	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DashboardRunWithOtelTracesReturnsNoTraces	▶️ View Recording
DescribeCommandResolvesReplicaNames	▶️ View Recording
DescribeCommandShowsRunningResources	▶️ View Recording
DetachFormatJsonProducesValidJson	▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
GlobalMigration_HandlesCommentsAndTrailingCommas	▶️ View Recording
GlobalMigration_HandlesMalformedLegacyJson	▶️ View Recording
GlobalMigration_PreservesAllValueTypes	▶️ View Recording
GlobalMigration_SkipsWhenNewConfigExists	▶️ View Recording
GlobalSettings_MigratedFromLegacyFormat	▶️ View Recording
InvalidAppHostPathWithComments_IsHealedOnRun	▶️ View Recording
LegacySettingsMigration_AdjustsRelativeAppHostPath	▶️ View Recording
LogsCommandShowsResourceLogs	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout	▶️ View Recording
PublishWithDockerComposeServiceCallbackSucceeds	▶️ View Recording
RestoreGeneratesSdkFiles	▶️ View Recording
RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	▶️ View Recording
RunFromParentDirectory_UsesExistingConfigNearAppHost	▶️ View Recording
RunWithMissingAwaitShowsHelpfulError	▶️ View Recording
SecretCrudOnDotNetAppHost	▶️ View Recording
SecretCrudOnTypeScriptAppHost	▶️ View Recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	▶️ View Recording
StopAllAppHostsFromAppHostDirectory	▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory	▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError	▶️ View Recording
StopNonInteractiveSingleAppHost	▶️ View Recording
StopWithNoRunningAppHostExitsSuccessfully	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #24115336932}

[aspire-repo-bot]

No documentation updates are required for this PR.

This is an internal security bug fix that:

• Adds URL validation for the returnUrl query parameter in ValidateTokenMiddleware
• Makes no public API changes
• Does not introduce new user-facing features or configuration options

No changes to the aspire.dev documentation site are needed.

Generated by PR Documentation Check for issue #15952 · ● 195.7K · ◷