fix(lib): block XSS attacks via nonstandard URLs (#904)

* fix(lib): block XSS attacks via nonstandard URLs This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button. Release-status: cut Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-07-24 10:05:00 -04:00 · 2025-07-24 10:05:00 -04:00 · d40e9056bc
commit d40e9056bc
parent 21f570962c
5 changed files with 98 additions and 1 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -399,12 +399,20 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}

 	redir := r.FormValue("redir")
+
 	redirURL, err := url.ParseRequestURI(redir)
 	if err != nil {
 		lg.Error("invalid redirect", "err", err)
 		s.respondWithError(w, r, localizer.T("invalid_redirect"))
 		return
 	}
+
+	if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
+		lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
+		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
+		return
+	}
+
 	// used by the path checker rule
 	r.URL = redirURL