go-httpbin icon indicating copy to clipboard operation
go-httpbin copied to clipboard
verified publisher icon mccutchen

Strengthen check for absolute redirect

Open mccutchen opened this issue 2 years ago • 2 comments

We got a security alert regarding this line of code in the doRedirect() helper function:

https://github.com/mccutchen/go-httpbin/blob/8f905de9567b18185492ac6af36156a439d980a9/httpbin/handlers.go#L960-L960

Redirect URLs should be checked to ensure that user input cannot cause a site to redirect to arbitrary domains. This is often done with a check that the redirect URL begins with a slash, which most of the time is an absolute redirect on the same host. However, browsers interpret URLs beginning with // or /\ as absolute URLs. For example, a redirect to //example.com will redirect to https://example.com. Thus, redirect checks must also check the second character of redirect URLs.

mccutchen avatar Apr 23 '24 13:04 mccutchen

@mccutchen unable to access the link above

sarathsp06 avatar Apr 30 '24 12:04 sarathsp06

@sarathsp06 ah, my bad, I guess it makes some sense that the code scanning alerts would be private. I've copied the relevant context to the issue itself.

mccutchen avatar Apr 30 '24 16:04 mccutchen