From af38de4d079f92d9430137e4d8950123ce5f0468 Mon Sep 17 00:00:00 2001 From: Ariel Caplan Date: Mon, 2 Mar 2026 16:31:17 +0200 Subject: [PATCH] Validate host param in generated HomeController template Apply the same deduced_phishing_attack? check used in redirect_to_embed_app_in_admin to the generated unauthenticated home controller template. Co-Authored-By: Claude Opus 4.6 --- CHANGELOG.md | 1 + .../templates/unauthenticated_home_controller.rb | 4 +++- test/generators/home_controller_generator_test.rb | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2708a2c9..987911f22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ Unreleased ---------- +- [Patch] Validate host param in generated HomeController template to prevent open redirect - [Patch] Fix sorbet errors in generated webhook handlers 23.0.1 (December 22, 2025) diff --git a/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb b/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb index 69d6778d2..5931d51db 100644 --- a/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb +++ b/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb @@ -7,7 +7,9 @@ class HomeController < ApplicationController def index if ShopifyAPI::Context.embedded? && (!params[:embedded].present? || params[:embedded] != "1") - redirect_to(ShopifyAPI::Auth.embedded_app_url(params[:host]) + request.path, allow_other_host: true) + redirect_url = ShopifyAPI::Auth.embedded_app_url(params[:host]) + request.path + redirect_url = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_url) + redirect_to(redirect_url, allow_other_host: true) else @shop_origin = current_shopify_domain @host = params[:host] diff --git a/test/generators/home_controller_generator_test.rb b/test/generators/home_controller_generator_test.rb index 2c510bd07..61da8c430 100644 --- a/test/generators/home_controller_generator_test.rb +++ b/test/generators/home_controller_generator_test.rb @@ -29,6 +29,7 @@ class HomeControllerGeneratorTest < Rails::Generators::TestCase assert_match "include ShopifyApp::ShopAccessScopesVerification", file assert_match "include ShopifyApp::EmbeddedApp", file assert_match "include ShopifyApp::EnsureInstalled", file + assert_match "deduced_phishing_attack?", file end assert_file "app/views/home/index.html.erb" end