fix: ensure safe redirect check only accepts actual domains

2026-01-18 21:32:28 +00:00 · 2026-01-17 20:36:42 +02:00
parent 87e2b52a04
commit d67c3ab8a4
2 changed files with 7 additions and 1 deletions
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -2,6 +2,7 @@ package utils

 import (
 	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -95,7 +96,7 @@ func IsRedirectSafe(redirectURL string, domain string) bool {

 	hostname := parsed.Hostname()

-	if strings.HasSuffix(hostname, domain) {
+	if strings.HasSuffix(hostname, fmt.Sprintf(".%s", domain)) {
 		return true
 	}