From 3a6a697f0a3a2ae2c2f0506d459e9a293c724f03 Mon Sep 17 00:00:00 2001
From: Bret Little <bret.little@shopify.com>
Date: Mon, 21 Nov 2022 14:20:14 -0500
Subject: [PATCH] Add `redirect_to`

---
 .../hydrogen-remix/src/routing/redirect.ts    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/packages/hydrogen-remix/src/routing/redirect.ts b/packages/hydrogen-remix/src/routing/redirect.ts
index 2a1d09238c..29a80c4585 100644
--- a/packages/hydrogen-remix/src/routing/redirect.ts
+++ b/packages/hydrogen-remix/src/routing/redirect.ts
@@ -1,3 +1,4 @@
+import {redirect} from '@remix-run/oxygen';
 import type {HydrogenContext} from '@shopify/hydrogen';
 
 export async function notFoundMaybeRedirect(
@@ -23,10 +24,33 @@ export async function notFoundMaybeRedirect(
       },
     });
   } else {
+    const redirectPath = new URLSearchParams(search).get('redirect_to');
+
+    if (isLocalPath(redirectPath)) {
+      return redirect(redirectPath!);
+    }
+
     return new Response('Not found', {status: 404});
   }
 }
 
+function isLocalPath(url: string | null) {
+  if (!url) return false;
+
+  try {
+    // We don't want to redirect cross domain,
+    // doing so could create fishing vulnerability
+    // If `new URL()` succeeds, it's a fully qualified
+    // url which is cross domain. If it fails, it's just
+    // a path, which will be the current domain.
+    new URL(url);
+  } catch (e) {
+    return true;
+  }
+
+  return false;
+}
+
 const REDIRECT_QUERY = `#graphql
   query redirects($url:String) {
     urlRedirects(first:1, query:$url) {