barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-01-20 14:22:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: ensure safe redirect check only accepts actual domains

Browse Source
This commit is contained in:
Stavros
2026-01-17 20:36:42 +02:00
parent 87e2b52a04
commit d67c3ab8a4
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/utils/app_utils.go
View File

@@ -2,6 +2,7 @@ package utils
import ( import (
"errors" "errors"
"fmt"
"net" "net"
"net/url" "net/url"
"strings" "strings"
@@ -95,7 +96,7 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
hostname := parsed.Hostname() hostname := parsed.Hostname()
if strings.HasSuffix(hostname, domain) { if strings.HasSuffix(hostname, fmt.Sprintf(".%s", domain)) {
return true return true
} }

5
internal/utils/app_utils_test.go
View File

@@ -205,4 +205,9 @@ func TestIsRedirectSafe(t *testing.T) {
redirectURL = "http://example.org/page" redirectURL = "http://example.org/page"
result = utils.IsRedirectSafe(redirectURL, domain) result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result) assert.Equal(t, false, result)
// Case with malicious domain
redirectURL = "https://malicious-example.com/yoyo"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result)
} }