How to restrict jupyterhub login redirect url

Hi! Our security team finds that the browser can redirect to any URL without restriction using the ‘next param’ when login hub.

For example, if I request such URL:

http://xxx.xxx.com/jupyterhub/hub/login?access_token=xxx.xxx&next=http://www.abc.com

The browser will redirect to http://www.abc.com if the access_token is valid.

Our security team worries that someone may use this mechanism to attack us. Therefore, I wonder if there exists any way to set a whitelist to restrict the redirect URL. Thanks!

Hi! JupyterHub should check for an external next redirect parameter:

Please could you provide more information to reproduce the problem? Ideally a full minimal setup including your JupyterHub configuration and component versions.