public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge 05c8b25112 into 65037b086c

This commit is contained in:
wucm667 2026-04-30 09:45:13 +08:00 committed by GitHub
parent 65037b086c 05c8b25112
commit 822a795fdd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 37 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/app/redirect/validator.go
View File

@ -44,7 +44,43 @@ func (v *validator) IsValidRedirect(redirect string) bool {
// The user didn't specify a redirect.
// In this case, we expect the proxt to fallback to `/`
return false
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !invalidRedirectRegex.MatchString(redirect):
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
// Check path portion for open redirect patterns
path := redirect
queryString := ""
if idx := strings.IndexAny(redirect, "?#"); idx != -1 {
path = redirect[:idx]
if redirect[idx] == '?' {
queryString = redirect[idx+1:]
if fragIdx := strings.Index(queryString, "#"); fragIdx != -1 {
queryString = queryString[:fragIdx]
}
}
}
// Check path for open redirect patterns
if invalidRedirectRegex.MatchString(path) {
return false
}
// Check common redirect parameter values for open redirect patterns
// These parameters are commonly used for redirects and should be validated
redirectParams := []string{"url", "next", "redirect", "redir", "rurl", "redirect_uri", "desiredLocationUrl"}
if queryString != "" {
parsedQuery, err := url.ParseQuery(queryString)
if err == nil {
for _, param := range redirectParams {
if values := parsedQuery[param]; len(values) > 0 {
for _, value := range values {
if invalidRedirectRegex.MatchString(value) {
return false
}
}
}
}
}
}
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)

7
testdata/openredirects.txt vendored
View File

@ -238,10 +238,6 @@
//www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/<>//example.com
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
/ReceiveAutoRedirect/false?desiredLocationUrl=http://xssposed.org
/\/\/example.com/
/\/example.com/
/\/google.com/
@ -300,9 +296,6 @@
/https://www.whitelisteddomain.tld@www.google.com/%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/localdomain.pw/%2f%2e%2e
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
/x:1/:///%01javascript:alert(document.cookie)/
<>//google.com
<>//localdomain.pw