[BUG] Invalid next URL when session expired

[Hailong-am]

What is the bug?

Here is the url with error

http://localhost:5601/app/login?nextUrl=%2Fapp%2Fopensearch_index_management_dashboards_%252Frollups#/rollups?from=0&search=&size=20&sortDirection=desc&sortField=_id

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "[request query.nextUrl]: Invalid nextUrl parameter."
}

The nextUrl is /app/opensearch_index_management_dashboards_%2Frollups
Based on the validation rule, it has %2F which is not allowed.

security-dashboards-plugin/server/utils/next_url.ts

Lines 75 to 80 in 506d803

	if (
	(pathMinusBase && !pathMinusBase.startsWith('/')) ||
	(pathMinusBase.length >= 2 && !/^\/[a-zA-Z_][\/a-zA-Z0-9-_]+$/.test(pathMinusBase))
	) {
	return INVALID_NEXT_URL_PARAMETER_MESSAGE;
	}

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Enable workspace and goes into a workspace
2. Go to http://localhost:5601/app/opensearch_index_management_dashboards_%2Frollups#/rollups?dataSourceId=&from=0&search=&size=20&sortDirection=desc&sortField=_id
3. Wait for session expired
4. See error

What is the expected behavior?
A clear and concise description of what you expected to happen.

What is your host/environment?

• OS: [e.g. iOS]
• Version [e.g. 22]
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?

[cwperks]

@Hailong-am Why is the URL

localhost:5601/app/login?nextUrl=%2Fapp%2Fopensearch_index_management_dashboards_%252Frollups#/rollups?from=0&search=&size=20&sortDirection=desc&sortField=_id

instead of

localhost:5601/app/login?nextUrl=%2Fapp%2Fopensearch_index_management_dashboards_%2Frollups#/rollups?from=0&search=&size=20&sortDirection=desc&sortField=_id

i.e. Why the %25? (%25 is URL-encoded percent symbol) IMO the logic for nextUrl validation is sound, but the url you have pasted is doubly-encoded.

[cwperks]

@Hailong-am Is encodeUriComponent required when declaring the paths in the index-management-dashboards-plugin here?

[Hailong-am]

@Hailong-am Is encodeUriComponent required when declaring the paths in the index-management-dashboards-plugin here?

I think so, the application id opensearch_index_management_dashboards_${encodeURIComponent('/routes')}, if remove the encodeURIComponent the application id will be opensearch_index_management_dashboards_/routes, so url will be /app/opensearch_index_management_dashboards_/routes/... that will render application with id opensearch_index_management_dashboards_ which is not exists

[cwperks]

We would need to confirm if the route id is the cause of the double encoding. In the security-dashboards-plugin, route ids are explicitly defined and not based on the route configured. Examples: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/plugin.ts#L189-L275

The ids are defined with underscores like this: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/common/index.ts#L18-L24

[Hailong-am]

route ids are explicitly defined and not based on the route configured. Examples: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/plugin.ts#L189-L275

yes, that's the cause. application id could not contains any special character like / +, otherwise it will have same problem.

either we have a place to document this limitation, or we figure out a way to check the application id is a valid and exist one no matter what kind of format does it have.