sophie/nuke
1
0
Fork 0
Code Packages 1 Activity Actions

fix(lib): add additional validation logic for XSS protection

Browse source 
Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso 2025-07-24 14:57:38 +00:00
parent 5700512da5
commit 45ff8f526e
No known key found for this signature in database
2 changed files with 53 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

29
lib/anubis.go
View file

@ -384,6 +384,20 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
lg := internal.GetRequestLogger(r)
localizer := localization.GetLocalizer(r)
redir := r.FormValue("redir")
redirURL, err := url.ParseRequestURI(redir)
if err != nil {
lg.Error("invalid redirect", "err", err)
s.respondWithError(w, r, localizer.T("invalid_redirect"))
return
}
if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
return
}
// Adjust cookie path if base prefix is not empty
cookiePath := "/"
if anubis.BasePrefix != "" {
@ -398,21 +412,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
return
}
redir := r.FormValue("redir")
redirURL, err := url.ParseRequestURI(redir)
if err != nil {
lg.Error("invalid redirect", "err", err)
s.respondWithError(w, r, localizer.T("invalid_redirect"))
return
}
if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
return
}
// used by the path checker rule
r.URL = redirURL