search

mccutchen / go-httpbin

A reasonably complete and well-tested golang port of httpbin, with zero dependencies outside the go stdlib.
https://httpbingo.org
MIT License
596 stars 124 forks source link

Strengthen check for absolute redirect #173

Closed mccutchen closed 6 months ago

mccutchen commented 6 months ago

We got a security alert regarding this line of code in the doRedirect() helper function:

https://github.com/mccutchen/go-httpbin/blob/8f905de9567b18185492ac6af36156a439d980a9/httpbin/handlers.go#L960-L960

Redirect URLs should be checked to ensure that user input cannot cause a site to redirect to arbitrary domains. This is often done with a check that the redirect URL begins with a slash, which most of the time is an absolute redirect on the same host. However, browsers interpret URLs beginning with // or /\ as absolute URLs. For example, a redirect to //example.com will redirect to https://example.com. Thus, redirect checks must also check the second character of redirect URLs.

sarathsp06 commented 6 months ago

@mccutchen unable to access the link above

mccutchen commented 6 months ago

@sarathsp06 ah, my bad, I guess it makes some sense that the code scanning alerts would be private. I've copied the relevant context to the issue itself.