Merge pull request #59 from ploxiln/invalid_redirect_v3

improve invalid redirect regex

oauthproxy.go

@@ -482,9 +482,9 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 		log.Printf("invalid redirect: is auth start or sign_in path: %q", redirect)
 		return false
 	}
-	if match, _ := regexp.MatchString(`^/(\s|\v)?(/|\\)`, redirect); match {
-		// matches `//` or `/\` or `/ /` or `/ \` (prevent open-redirect tricks)
-		log.Printf("invalid redirect: multi-slash prefix: %q", redirect)
+	if match, _ := regexp.MatchString(`^[/\\](?:[\s\v]*|\.\.?)[/\\]`, redirect); match {
+		// prevent open-redirect tricks: `//` or `/\` or `/ /` or `/ \` or `/./\\` etc.
+		log.Printf("invalid redirect: tricky prefix: %q", redirect)
 		return false
 	}
 	if strings.HasPrefix(redirect, "/") {

oauthproxy_test.go

@@ -253,6 +253,27 @@ func TestIsValidRedirect(t *testing.T) {
 
 	openRedirectCarriageReturn2 := proxy.IsValidRedirect("/\r\\evil.com")
 	assert.Equal(t, false, openRedirectCarriageReturn2)
+
+	openRedirectTripleTab := proxy.IsValidRedirect("/\t\t/\t/evil.com")
+	assert.Equal(t, false, openRedirectTripleTab)
+
+	openRedirectTripleTab2 := proxy.IsValidRedirect("/\t\t\\\t/evil.com")
+	assert.Equal(t, false, openRedirectTripleTab2)
+
+	openRedirectQuadTab1 := proxy.IsValidRedirect("/\t\t/\t\t\\evil.com")
+	assert.Equal(t, false, openRedirectQuadTab1)
+
+	openRedirectQuadTab2 := proxy.IsValidRedirect("/\t\t\\\t\t/evil.com")
+	assert.Equal(t, false, openRedirectQuadTab2)
+
+	openRedirectPeriod1 := proxy.IsValidRedirect("/./\\evil.com")
+	assert.Equal(t, false, openRedirectPeriod1)
+
+	openRedirectPeriod2 := proxy.IsValidRedirect("/./../../\\evil.com")
+	assert.Equal(t, false, openRedirectPeriod2)
+
+	openRedirectDoubleTab := proxy.IsValidRedirect("/\t/\t\\evil.com")
+	assert.Equal(t, false, openRedirectDoubleTab)
 }
 
 type TestProvider struct {