Skip to content

Commit

Permalink
[cherry-pick] Limit URL to local site (#20023)
Browse files Browse the repository at this point in the history
Limit url to local path

Signed-off-by: stonezdj <[email protected]>
Co-authored-by: stonezdj <[email protected]>
  • Loading branch information
stonezdj and stonezdj authored Feb 26, 2024
1 parent 3356196 commit 9115b9f
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 1 deletion.
5 changes: 5 additions & 0 deletions src/common/utils/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -342,3 +342,8 @@ func MostMatchSorter(a, b string, matchWord string) bool {
}
return len(a) < len(b)
}

// IsLocalPath checks if path is local
func IsLocalPath(path string) bool {
return strings.HasPrefix(path, "/") && !strings.HasPrefix(path, "//")
}
22 changes: 22 additions & 0 deletions src/common/utils/utils_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -486,3 +486,25 @@ func TestValidateCronString(t *testing.T) {
}
}
}

func TestIsLocalPath(t *testing.T) {
type args struct {
path string
}
tests := []struct {
name string
args args
want bool
}{
{"normal test", args{"/harbor/project"}, true},
{"failed", args{"www.myexample.com"}, false},
{"other_site1", args{"//www.myexample.com"}, false},
{"other_site2", args{"https://www.myexample.com"}, false},
{"other_site", args{"http://www.myexample.com"}, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
assert.Equalf(t, tt.want, IsLocalPath(tt.args.path), "IsLocalPath(%v)", tt.args.path)
})
}
}
8 changes: 7 additions & 1 deletion src/core/controllers/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,13 @@ func (oc *OIDCController) RedirectLogin() {
oc.SendInternalServerError(err)
return
}
if err := oc.SetSession(redirectURLKey, oc.Ctx.Request.URL.Query().Get("redirect_url")); err != nil {
redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
if !utils.IsLocalPath(redirectURL) {
log.Errorf("invalid redirect url: %v", redirectURL)
oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
return
}
if err := oc.SetSession(redirectURLKey, redirectURL); err != nil {
log.Errorf("failed to set session for key: %s, error: %v", redirectURLKey, err)
oc.SendInternalServerError(err)
return
Expand Down

0 comments on commit 9115b9f

Please sign in to comment.