Arvados

The '/login' endpoint does not check that the 'return_to' parameter is recognized and authorized to accept tokens. As a result, if a user clicks on a malicious link and proceeds to log in, the token may be sent to a malicious site of the attacker's choosing, gaining full access to the user account.

Possible solutions:

• Prompt user when redirecting to an unrecognized URL (this has the drawback that non-expert users will still just click "ok")
• Whitelist endpoints: we already have the concept of "ApiClient" which is basically this, but currently isn't used to restrict sending tokens, although it slightly restricts the permission of the token itself (a token sent to an "untrusted" client can't be used to list/create other tokens, but can still do everything else).
• Associate endpoints with clusters, and whitelist which clusters that get the full-access token.