From da79a251655b044aa24740043d991e5a18b806ad Mon Sep 17 00:00:00 2001
From: Michael Myers <michael.myers@goteleport.com>
Date: Wed, 29 Jun 2022 14:54:02 -0500
Subject: [PATCH] ensure path param is valid path

---
 lib/web/app/redirect.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/web/app/redirect.go b/lib/web/app/redirect.go
index 3884748c92260..70c45fa9a29ea 100644
--- a/lib/web/app/redirect.go
+++ b/lib/web/app/redirect.go
@@ -78,7 +78,10 @@ const js = `
         }).then(response => {
           if (response.ok) {
             try {
-                window.location.replace(url.origin + path);
+              if (path.charAt(0) !== "/") {
+                throw "malformed url"
+              }
+              window.location.replace(url.origin + path);
             } catch (error) {
                 // in case of malformed url, return to origin
                 window.location.replace(url.origin)