Jupyterlab accepts arbitrary value in /login's "next" parameter

Hi, we use Jupyterlab in one of our products. A security audit flagged Jupyterlab’s behavior of /login endpoint. The endpoint accepts “next” parameter. The parameter controls where users will be redirected next after successful login.The auditor made the point that, since “next” param can be defined in the query string, someone can craft a URL that redirects users to a malicious website after successfully signing into Jupyter.

Has this been discussed as a potential security risk?

While it does accept an arbitrary value for the login parameter alas it did not redirect me anywhere in current jupyterlab version after successful login. It maybe very well be a problem on earlier versions though.

1 Like