fix(lib): block XSS attacks via nonstandard URLs

This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button. Release-status: cut Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-14 12:38:45 +00:00 · 2025-07-24 13:49:15 +00:00
parent 21f570962c
commit a0a6b3f147
3 changed files with 92 additions and 0 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -399,12 +399,20 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}

 	redir := r.FormValue("redir")
+
 	redirURL, err := url.ParseRequestURI(redir)
 	if err != nil {
 		lg.Error("invalid redirect", "err", err)
 		s.respondWithError(w, r, localizer.T("invalid_redirect"))
 		return
 	}
+
+	if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
+		lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
+		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
+		return
+	}
+
 	// used by the path checker rule
 	r.URL = redirURL