Skip to content

fix(mobile): validate external redirect URLs#140

Open
dhairyashiil wants to merge 2 commits into
calcom:mainfrom
dhairyashiil:codex/security-mobile-redirect
Open

fix(mobile): validate external redirect URLs#140
dhairyashiil wants to merge 2 commits into
calcom:mainfrom
dhairyashiil:codex/security-mobile-redirect

Conversation

@dhairyashiil

@dhairyashiil dhairyashiil commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

Adds client-side validation for event-type success redirect URLs in the mobile app before create/update requests are submitted. The validator now mirrors the main web app schema for successRedirectUrl: empty values are allowed, http:// and https:// URLs are allowed, and non-http schemes like javascript:, data:, and ftp: are rejected.

Main web app parity

Checked /Users/dhairyashilshinde/work/calcom/cal on main:

  • packages/prisma/zod-utils.ts defines successRedirectUrl as empty string or a URL matching ^http(s)?://.*.
  • apps/web/modules/event-types/components/tabs/confirmation/event-confirmation-tab.tsx uses that redirect field and shows the approval warning flow.
  • packages/features/eventtypes/lib/successRedirectUrlAllowed.ts and packages/features/eventtypes/lib/getPublicEvent.ts handle paid-plan/grandfathering/approval filtering.

So this mobile PR only rejects invalid/non-http URL schemes at the client boundary. It does not introduce a mobile-only HTTPS requirement.

Reviewer notes

  • Server-side validation/approval remains authoritative; this PR prevents the mobile client from sending obvious unsafe schemes.
  • Web currently allows external http:// redirect URLs, so mobile does too for consistency. If we want to require HTTPS, that should be changed centrally in the web/server schema first, then mobile can follow.

Validation

  • bun --filter mobile test --runInBand utils/redirectUrlValidation.test.js
  • bun --filter mobile typecheck
  • git diff --check HEAD~1..HEAD

@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

@dhairyashiil dhairyashiil force-pushed the codex/security-mobile-redirect branch from 24a90d8 to 633b73b Compare July 2, 2026 20:07
@dhairyashiil dhairyashiil marked this pull request as ready for review July 2, 2026 21:07
@dhairyashiil dhairyashiil enabled auto-merge (squash) July 2, 2026 21:07

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread apps/mobile/utils/redirectUrlValidation.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant