Jupyterlab accepts arbitrary value in /login's "next" parameter

Adam_Tworkiewicz · August 10, 2023, 5:25pm

Hi, we use Jupyterlab in one of our products. A security audit flagged Jupyterlab’s behavior of /login endpoint. The endpoint accepts “next” parameter. The parameter controls where users will be redirected next after successful login.The auditor made the point that, since “next” param can be defined in the query string, someone can craft a URL that redirects users to a malicious website after successfully signing into Jupyter.

Has this been discussed as a potential security risk?

spookster · August 11, 2023, 6:49am

While it does accept an arbitrary value for the login parameter alas it did not redirect me anywhere in current jupyterlab version after successful login. It maybe very well be a problem on earlier versions though.

Topic		Replies	Views
How to restrict jupyterhub login redirect url Security jupyterhub , help-wanted	1	1027	March 2, 2023
Move session_id from url parameter to cookie JupyterLab jupyterlab , how-to	2	580	July 1, 2022
How to pass next_url of login to authenticate method of my custom OAuthenticator? JupyterHub jupyterhub	1	775	January 10, 2022
Problem running a server extension using /user-redirect/ JupyterHub jupyterlab , jupyterhub , help-wanted	1	435	August 16, 2023
Is it possible to avoid exposing token in GET parameter in JupyterHub JupyterHub jupyterhub , how-to , help-wanted	2	287	March 15, 2024

Jupyterlab accepts arbitrary value in /login's "next" parameter

Related Topics