barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-11-07 09:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow for all subdomains to be considered safe for redirection

Browse Source
This commit is contained in:
Stavros
2025-11-04 17:58:56 +02:00
parent 57aca58de3
commit bb1ecd4183
2 changed files with 9 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/utils/app_utils.go
View File

@@ -90,27 +90,19 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
return false return false
} }
parsedURL, err := url.Parse(redirectURL) parsed, err := url.Parse(redirectURL)
if err != nil { if err != nil {
return false return false
} }
if !parsedURL.IsAbs() { hostname := parsed.Hostname()
return false
}
host := parsedURL.Hostname() if strings.HasSuffix(hostname, domain) {
if host == domain {
return true return true
} }
cookieDomain, err := GetCookieDomain(redirectURL) return hostname == domain
if err != nil {
return false
}
return cookieDomain == domain
} }
func GetLogLevel(level string) zerolog.Level { func GetLogLevel(level string) zerolog.Level {

40
internal/utils/app_utils_test.go
View File

@@ -176,6 +176,11 @@ func TestIsRedirectSafe(t *testing.T) {
result = utils.IsRedirectSafe(redirectURL, domain) result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, true, result) assert.Equal(t, true, result)
// Case with sub-subdomain
redirectURL = "http://a.b.example.com/home"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, true, result)
// Case with empty redirect URL // Case with empty redirect URL
redirectURL = "" redirectURL = ""
result = utils.IsRedirectSafe(redirectURL, domain) result = utils.IsRedirectSafe(redirectURL, domain)
@@ -202,41 +207,6 @@ func TestIsRedirectSafe(t *testing.T) {
assert.Equal(t, false, result) assert.Equal(t, false, result)
} }
func TestIsRedirectSafeMultiLevel(t *testing.T) {
// Setup
cookieDomain := "tinyauth.example.com"
// Case with 3rd level domain
redirectURL := "http://tinyauth.example.com/welcome"
result := utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, true, result)
// Case with root domain
redirectURL = "http://example.com/unsafe"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
// Case with 4th level domain
redirectURL = "http://auth.tinyauth.example.com/post-login"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, true, result)
// Case with 5th level domain (should be unsafe)
redirectURL = "http://x.auth.tinyauth.example.com/deep"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
// Case with different subdomain
redirectURL = "http://auth.tinyauth.example.net/attack"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
// Case with malformed URL
redirectURL = "http://[::1]:namedport"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
}
func TestGetOAuthProvidersConfig(t *testing.T) { func TestGetOAuthProvidersConfig(t *testing.T) {
env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"} env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"}
args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"} args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"}