Skip to content
Permalink
Browse files Browse the repository at this point in the history
auth: ensure the redirect URL always starts with a single slash (#10167)
Co-Authored-By: Keegan Carruthers-Smith <keegan.csmith@gmail.com>
  • Loading branch information
unknwon and keegancsmith committed Apr 26, 2020
1 parent f35c82c commit c0f4817
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 9 deletions.
4 changes: 4 additions & 0 deletions cmd/frontend/auth/redirect.go
Expand Up @@ -2,6 +2,7 @@ package auth

import (
"net/url"
"path"
"strings"
)

Expand All @@ -15,6 +16,9 @@ func SafeRedirectURL(urlStr string) string {
return "/"
}

// Make sure u.Path always starts with a single slash.
u.Path = path.Clean(u.Path)

// Only take certain known-safe fields.
u = &url.URL{Path: u.Path, RawQuery: u.RawQuery}
return u.String()
Expand Down
19 changes: 10 additions & 9 deletions cmd/frontend/auth/redirect_test.go
Expand Up @@ -4,15 +4,16 @@ import "testing"

func TestSafeRedirectURL(t *testing.T) {
tests := map[string]string{
"": "/",
"/": "/",
"a@b.com:c": "/",
"a@b.com/c": "/",
"//a": "/",
"http://a.com/b": "/b",
"//a.com/b": "/b",
"//a@b.com/c": "/c",
"/a?b": "/a?b",
"": "/",
"/": "/",
"a@b.com:c": "/",
"a@b.com/c": "/",
"//a": "/",
"http://a.com/b": "/b",
"//a.com/b": "/b",
"//a@b.com/c": "/c",
"/a?b": "/a?b",
"//foo//example.com": "/example.com",
}
for input, want := range tests {
got := SafeRedirectURL(input)
Expand Down

0 comments on commit c0f4817

Please sign in to comment.