2.21.12 (#423)

* chore: bump version to 2.21.12 and implement safe redirect path validation

- Updated application version from 2.21.11 to 2.21.12 in package.json.
- Introduced `getSafeRedirectPath` and `isSafeRedirectPath` utility functions to validate user-supplied redirect URLs, enhancing security against open redirect attacks.
* fix: address page reload issue in Admin tests for CI

packages/shared/src/utils.ts

@@ -21,3 +21,43 @@ export function formatCurrency(params: {
     currency: params.currencyCode,
   }).format(Number(params.value));
 }
+
+/**
+ * @name isSafeRedirectPath
+ * @description Checks if a path is safe for redirects (prevents open redirect attacks).
+ * Safe paths must:
+ * - Start with a single `/`
+ * - NOT start with `//` (protocol-relative URLs)
+ * - NOT contain `://` (absolute URLs)
+ * - NOT contain backslash (URL normalization attacks)
+ */
+export function isSafeRedirectPath(path: string): boolean {
+  if (!path || typeof path !== 'string') return false;
+
+  // Must start with exactly one forward slash (relative path)
+  if (!path.startsWith('/') || path.startsWith('//')) return false;
+
+  // Must not contain protocol indicators
+  if (path.includes('://')) return false;
+
+  // Must not contain backslashes (can be normalized to forward slashes)
+  if (path.includes('\\')) return false;
+
+  return true;
+}
+
+/**
+ * @name getSafeRedirectPath
+ * @description Returns the path if safe, otherwise returns the fallback.
+ * Use this to validate user-supplied redirect URLs to prevent open redirect attacks.
+ */
+export function getSafeRedirectPath(
+  path: string | null | undefined,
+  fallback: string,
+): string {
+  if (path && isSafeRedirectPath(path)) {
+    return path;
+  }
+
+  return fallback;
+}