arian/anubis-mirror
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2026-04-26 10:02:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(lib): add additional validation logic for XSS protection

Browse Source 
Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso
2025-07-24 14:57:38 +00:00
parent 5700512da5
commit 45ff8f526e
2 changed files with 53 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/anubis.go
+14 -15
View File
@@ -384,6 +384,20 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
lg := internal.GetRequestLogger(r)
localizer := localization.GetLocalizer(r)
redir := r.FormValue("redir")
redirURL, err := url.ParseRequestURI(redir)
if err != nil {
lg.Error("invalid redirect", "err", err)
s.respondWithError(w, r, localizer.T("invalid_redirect"))
return
}
if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
return
}
// Adjust cookie path if base prefix is not empty
cookiePath := "/"
if anubis.BasePrefix != "" {
@@ -398,21 +412,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
return
}
redir := r.FormValue("redir")
redirURL, err := url.ParseRequestURI(redir)
if err != nil {
lg.Error("invalid redirect", "err", err)
s.respondWithError(w, r, localizer.T("invalid_redirect"))
return
}
if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
return
}
// used by the path checker rule
r.URL = redirURL