From 2d03c72d03760423fca352b0e3795e2a36a48eea Mon Sep 17 00:00:00 2001 From: Ariel Caplan Date: Thu, 5 Mar 2026 00:59:23 +0200 Subject: [PATCH] Validate host param in HomeController to prevent open redirect Apply the same deduced_phishing_attack? check used in the shopify_app gem's generated HomeController template (Shopify/shopify_app#2059) to this template's HomeController. Co-Authored-By: Claude Opus 4.6 --- web/app/controllers/home_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/web/app/controllers/home_controller.rb b/web/app/controllers/home_controller.rb index c7c8ba6..123c3ed 100644 --- a/web/app/controllers/home_controller.rb +++ b/web/app/controllers/home_controller.rb @@ -10,7 +10,9 @@ class HomeController < ApplicationController def index if ShopifyAPI::Context.embedded? && (!params[:embedded].present? || params[:embedded] != "1") - redirect_to(ShopifyAPI::Auth.embedded_app_url(params[:host]), allow_other_host: true) + redirect_url = ShopifyAPI::Auth.embedded_app_url(params[:host]) + redirect_url = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_url) + redirect_to(redirect_url, allow_other_host: true) else contents = File.read(File.join(Rails.env.production? ? PROD_INDEX_PATH : DEV_INDEX_PATH, "index.html")) contents.sub!("%VITE_SHOPIFY_API_KEY%", ShopifyApp.configuration.api_key)