From 9d8322064bee902bc34aee8fae0a663e4c809f2c Mon Sep 17 00:00:00 2001
From: Kaj Kowalski <dev@kajkowalski.nl>
Date: Sun, 18 May 2025 23:35:18 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 1: URL redirection
 from remote source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 dashboard_project/data_integration/views.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/dashboard_project/data_integration/views.py b/dashboard_project/data_integration/views.py
index d159334..cdbd12b 100644
--- a/dashboard_project/data_integration/views.py
+++ b/dashboard_project/data_integration/views.py
@@ -2,6 +2,7 @@ from django.contrib import messages
 from django.contrib.admin.views.decorators import staff_member_required
 from django.contrib.auth.decorators import login_required, user_passes_test
 from django.shortcuts import get_object_or_404, redirect
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from .models import ExternalDataSource
 from .tasks import periodic_fetch_chat_data, refresh_specific_source
@@ -36,7 +37,10 @@ def manual_data_refresh(request):
                 )
         except Exception as e:
             messages.error(request, f"Failed to refresh data: {e}")
-    return redirect(request.headers.get("referer", "dashboard"))  # Redirect to previous page or dashboard
+    referer = request.headers.get("referer", "")
+    if url_has_allowed_host_and_scheme(referer, allowed_hosts=None):
+        return redirect(referer)
+    return redirect("dashboard")  # Redirect to a safe default
 
 
 @staff_member_required
@@ -51,4 +55,7 @@ def refresh_specific_datasource(request, source_id):
     except Exception as e:
         messages.error(request, f"Failed to refresh data source {source.name}: {e}")
 
-    return redirect(request.headers.get("referer", "/admin/data_integration/externaldatasource/"))
+    referer = request.headers.get("referer", "")
+    if url_has_allowed_host_and_scheme(referer, allowed_hosts=None):
+        return redirect(referer)
+    return redirect("/admin/data_integration/externaldatasource/")  # Redirect to a safe default