fix(eco): Improves domain checking for next URL in installation flow (#113118)

GabeVillalobos · web-flow · commit aeea42071bdb · 2026-04-15T14:33:08.000-07:00
diff --git a/static/app/components/backendJsonFormAdapter/projectMapperAdapter.spec.tsx b/static/app/components/backendJsonFormAdapter/projectMapperAdapter.spec.tsx
@@ -369,7 +369,10 @@ describe('ProjectMapperAdapter', () => {
         {
           organization: org,
           initialRouterConfig: {
-            location: {pathname: '/', query: {next: 'https://evil.com/steal'}},
+            location: {
+              pathname: '/',
+              query: {next: 'https://vercel.com.evil.example.com/steal'},
+            },
           },
         }
       );
diff --git a/static/app/components/backendJsonFormAdapter/projectMapperAdapter.tsx b/static/app/components/backendJsonFormAdapter/projectMapperAdapter.tsx
@@ -244,8 +244,15 @@ export function ProjectMapperNextButton({config, value}: ProjectMapperNextButton
     return null;
   }
 
-  if (!nextUrl.startsWith(nextButton.allowedDomain)) {
-    Sentry.captureMessage(`Got invalid next url: ${nextUrl}`);
+  try {
+    const parsedUrl = new URL(nextUrl);
+    const allowedOrigin = new URL(nextButton.allowedDomain).origin;
+    if (parsedUrl.origin !== allowedOrigin) {
+      Sentry.captureMessage(`Got invalid next url: ${nextUrl}`);
+      return null;
+    }
+  } catch {
+    Sentry.captureMessage(`Failed to parse next url: ${nextUrl}`);
     return null;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -369,7 +369,10 @@ describe('ProjectMapperAdapter', () => {`
`369`	`369`	`{`
`370`	`370`	`organization: org,`
`371`	`371`	`initialRouterConfig: {`
`372`		`- location: {pathname: '/', query: {next: 'https://evil.com/steal'}},`
	`372`	`+ location: {`
	`373`	`+ pathname: '/',`
	`374`	`+ query: {next: 'https://vercel.com.evil.example.com/steal'},`
	`375`	`+ },`
`373`	`376`	`},`
`374`	`377`	`}`
`375`	`378`	`);`