Datasette Open Redirect Vulnerability

A open redirect vulnerability exists in Datasette, an open-source tool for data exploration and publishing, in versions prior to 0.65.2 and 1.0a20. The vulnerability allows redirects from paths with a double slash to be misinterpreted, leading to unintended destinations. For example, a path like '//example.com/foo/bar/' (with a trailing slash) would redirect to 'https://example.com/foo/bar'. This issue has been observed on production servers, including instances on Heroku.

Impact

Exploitation of this vulnerability allows for open redirect behavior, where users can be redirected to arbitrary URLs. This can be exploited for phishing attacks or to bypass security controls that rely on URL validation.

Reproduction

To reproduce this vulnerability, send a request to a Datasette instance with a path that includes a double slash at the beginning and a trailing slash. The server will respond with a 302 redirect to an unintended location, effectively demonstrating the open redirect flaw.

Remediation

Users can update to Datasette version 0.65.2 or 1.0a21, both of which include the necessary fix. If an immediate update is not possible, and Datasette is behind a proxy, configure the proxy to replace double slashes with single slashes in incoming URLs.