fix: disallow external url during oauth login

getfider · Mar 24, 2023 · b5c626b · b5c626b
1 parent cce8efa
commit b5c626b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/app/handlers/oauth.go b/app/handlers/oauth.go
@@ -239,6 +239,8 @@ func SignInByOAuth() web.HandlerFunc {
 
 		if redirect == "" {
 			redirect = c.BaseURL()
+		} else if !strings.HasPrefix(redirect, c.BaseURL()) {
+			return c.Forbidden()
 		}
 
 		redirectURL, _ := url.ParseRequestURI(redirect)

diff --git a/app/handlers/oauth_test.go b/app/handlers/oauth_test.go
@@ -45,6 +45,21 @@ func TestSignInByOAuthHandler(t *testing.T) {
 	RegisterT(t)
 	bus.Init(&oauth.Service{})
 
+	server := mock.NewServer()
+	code, _ := server.
+		AddParam("provider", app.FacebookProvider).
+		AddCookie(web.CookieSessionName, "MY_SESSION_ID").
+		WithURL("http://avengers.test.fider.io/oauth/facebook?redirect=http://evil.com").
+		Use(middlewares.Session()).
+		Execute(handlers.SignInByOAuth())
+
+	Expect(code).Equals(http.StatusForbidden)
+}
+
+func TestSignInByOAuthHandler_InvalidURL(t *testing.T) {
+	RegisterT(t)
+	bus.Init(&oauth.Service{})
+
 	server := mock.NewServer()
 	code, response := server.
 		AddParam("provider", app.FacebookProvider).