Description

I've discovered an open redirect vulnerability in this project. The issue exists in both the delete and bulk_delete endpoints in the resources.py file, where the application uses the HTTP Referer header without validation to redirect users after an operation completes.

Vulnerability Details

• Vulnerability Type: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
• Affected Endpoints: /{resource}/delete/{pk} and /{resource}/delete
• Affected File: fastapi_admin/routes/resources.py
• Severity: Medium

Technical Description

The issue occurs because the application directly uses the value from the referer HTTP header as the redirect target after a delete operation:

@router.delete("/{resource}/delete/{pk}")
async def delete(request: Request, pk: str, model: Model = Depends(get_model)):
    await model.filter(pk=pk).delete()
    return RedirectResponse(url=request.headers.get("referer"), status_code=HTTP_303_SEE_OTHER)

@router.delete("/{resource}/delete")
async def bulk_delete(request: Request, ids: str, model: Model = Depends(get_model)):
    await model.filter(pk__in=ids.split(",")).delete()
    return RedirectResponse(url=request.headers.get("referer"), status_code=HTTP_303_SEE_OTHER)

An attacker can modify the Referer header to redirect users to a malicious site after they perform a delete operation.

Proof of Concept

I confirmed this vulnerability with the following request:

curl -i -X DELETE https://fastapi-admin-pro.long2ice.io/admin/product/delete/416 \
-H "Referer: http://192.168.43.130:5000" \
-H "Cookie: access_token=a2fdc01cd9004c9199d6287ab4d0a602"

Response:

HTTP/2 303 
date: Sat, 03 May 2025 17:53:30 GMT
location: http://192.168.43.130:5000
server: uvicorn
content-length: 0

Suggested Fix

I recommend validating the redirect URL to ensure it belongs to the same domain as the application. I've created a pull request that implements the recommended changes: #185

References

OWASP: Unvalidated Redirects and Forwards
CWE-601: URL Redirection to Untrusted Site