Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Ada to redirect users upon login #3933

Open
mlissner opened this issue Apr 1, 2024 · 3 comments
Open

Use Ada to redirect users upon login #3933

mlissner opened this issue Apr 1, 2024 · 3 comments

Comments

@mlissner
Copy link
Member

mlissner commented Apr 1, 2024
edited

A while back, I removed redirect-on-login functionality from CourtListener because it was exposing a vulnerability in Python. I reported the Python vulnerability, and it was fixed:

https://bugs.python.org/issue43882

But it was kind of a mess, honestly. The volunteer that fixed it didn't check if the WHATWG test suite passed properly, and just focused on the small vuln that I reported. I'm pretty sure urlparse is still parsing things incorrectly and probably still vulnerable, so I didn't reinstate our redirect-on-login functionality even once Python was "fixed."

Now, when people login, they just go to the homepage, and bots.law inherited this functionality. Lame.

There is, however, hope. A new library called Ada actually passes the WHATWG test suite, is fast, has Python bindings, and seems really great:

https://github.com/ada-url/ada?tab=readme-ov-file

Maybe we should use it and make it so redirect-on-login works again.

But before we do that, I wanted to see if Django would integrate Ada directly, so I opened an discussion about that here:

https://groups.google.com/g/django-developers/c/Zp9mKpBn4u8

If we get a 👍 from them, we should just add it to Django, wait for that, and then fix our redirect system.

If it gets a 👎, we should just use Ada ourselves to fix our redirect system.
@anonrig
Copy link

anonrig commented May 2, 2024

Hi @mlissner, Ada author here. Is there anything I can help with this?

@mlissner
Copy link
Member Author

mlissner commented May 3, 2024

Hey @anonrig, thanks for offering! It sounds like getting Django to do this themselves isn't going to happen unless somebody demonstrates that the WHATHG test suite is still vulnerable in Python, and I don't think I'll have time to do that.

So, I think what that means is we'd like to use Ada to do our redirects in CourtListener when people log in.

I don't imagine you're familiar enough with Django (and interested enough) to take a stab at that, are you?

I actually suspect your time would be better spent convincing Django devs they should worry about this more...

@anonrig
Copy link

anonrig commented May 3, 2024

@mlissner Happy to do my part. Can you reach me from any platform, so we can talk about this in detail?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
@erosendo's backlog
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlissner @anonrig