forked from casdoor/casdoor
feat: add redirectUriMatchesPattern()
This commit is contained in:
Yang Luo
@@ -373,46 +373,52 @@ func (application *Application) IsRedirectUriValid(redirectUri string) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
redirectUriObj, err := url.Parse(redirectUri)
|
||||
if err != nil || redirectUriObj.Host == "" {
|
||||
return false
|
||||
}
|
||||
|
||||
for _, targetUri := range application.RedirectUris {
|
||||
if targetUri == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
if redirectUri == targetUri {
|
||||
return true
|
||||
}
|
||||
|
||||
// URL-based comparison: scheme/host/port/path must each match.
|
||||
// The host may be the configured host or any subdomain of it.
|
||||
// This prevents "double-URL" attacks like https://evil.com/?x=https://legit.example.com/cb
|
||||
targetUriObj, err := url.Parse(targetUri)
|
||||
if err == nil && targetUriObj.Host != "" {
|
||||
if redirectUriMatchesTarget(redirectUriObj, targetUriObj) {
|
||||
return true
|
||||
}
|
||||
// The configured URI is a valid URL; skip regex fallback to avoid false positives.
|
||||
continue
|
||||
}
|
||||
|
||||
// Fall back to anchored full-string regex for wildcard patterns
|
||||
// (e.g. "https://.*\.example\.com/callback") that are not valid URLs.
|
||||
// Anchoring with ^...$ prevents partial-match bypasses.
|
||||
anchoredPattern := "^(?:" + targetUri + ")$"
|
||||
targetUriRegex, err := regexp.Compile(anchoredPattern)
|
||||
if err == nil && targetUriRegex.MatchString(redirectUri) {
|
||||
if redirectUriMatchesPattern(redirectUri, targetUri) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// redirectUriMatchesTarget checks if redirectUri matches targetUri with subdomain support.
|
||||
// Scheme, port, and path must match exactly. The host may be the target host or any subdomain of it.
|
||||
func redirectUriMatchesPattern(redirectUri, targetUri string) bool {
|
||||
if targetUri == "" {
|
||||
return false
|
||||
}
|
||||
if redirectUri == targetUri {
|
||||
return true
|
||||
}
|
||||
|
||||
redirectUriObj, err := url.Parse(redirectUri)
|
||||
if err != nil || redirectUriObj.Host == "" {
|
||||
return false
|
||||
}
|
||||
|
||||
targetUriObj, err := url.Parse(targetUri)
|
||||
if err == nil && targetUriObj.Host != "" {
|
||||
return redirectUriMatchesTarget(redirectUriObj, targetUriObj)
|
||||
}
|
||||
|
||||
withScheme, parseErr := url.Parse("https://" + targetUri)
|
||||
if parseErr == nil && withScheme.Host != "" {
|
||||
redirectHost := redirectUriObj.Hostname()
|
||||
targetHost := withScheme.Hostname()
|
||||
var hostMatches bool
|
||||
if strings.HasPrefix(targetHost, ".") {
|
||||
hostMatches = strings.HasSuffix(redirectHost, targetHost)
|
||||
} else {
|
||||
hostMatches = redirectHost == targetHost || strings.HasSuffix(redirectHost, "."+targetHost)
|
||||
}
|
||||
schemeOk := redirectUriObj.Scheme == "http" || redirectUriObj.Scheme == "https"
|
||||
pathMatches := withScheme.Path == "" || withScheme.Path == "/" || redirectUriObj.Path == withScheme.Path
|
||||
return schemeOk && hostMatches && pathMatches
|
||||
}
|
||||
|
||||
anchoredPattern := "^(?:" + targetUri + ")$"
|
||||
targetUriRegex, err := regexp.Compile(anchoredPattern)
|
||||
return err == nil && targetUriRegex.MatchString(redirectUri)
|
||||
}
|
||||
|
||||
func redirectUriMatchesTarget(redirectUri, targetUri *url.URL) bool {
|
||||
if redirectUri.Scheme != targetUri.Scheme {
|
||||
return false
|
||||
@@ -422,8 +428,6 @@ func redirectUriMatchesTarget(redirectUri, targetUri *url.URL) bool {
|
||||
}
|
||||
redirectHost := redirectUri.Hostname()
|
||||
targetHost := targetUri.Hostname()
|
||||
// Allow exact host match or subdomain (e.g. aaa.example.com for target example.com).
|
||||
// The "."+targetHost prefix prevents evilexample.com from matching example.com.
|
||||
if redirectHost != targetHost && !strings.HasSuffix(redirectHost, "."+targetHost) {
|
||||
return false
|
||||
}
|
||||
|
||||
79
object/application_util_test.go
Normal file
79
object/application_util_test.go
Normal file
@@ -0,0 +1,79 @@
|
||||
// Copyright 2026 The Casdoor Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package object
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestRedirectUriMatchesPattern(t *testing.T) {
|
||||
tests := []struct {
|
||||
redirectUri string
|
||||
targetUri string
|
||||
want bool
|
||||
}{
|
||||
// Exact match
|
||||
{"https://login.example.com/callback", "https://login.example.com/callback", true},
|
||||
|
||||
// Full URL pattern: exact host
|
||||
{"https://login.example.com/callback", "https://login.example.com/callback", true},
|
||||
{"https://login.example.com/other", "https://login.example.com/callback", false},
|
||||
|
||||
// Full URL pattern: subdomain of configured host
|
||||
{"https://def.abc.com/callback", "abc.com", true},
|
||||
{"https://def.abc.com/callback", ".abc.com", true},
|
||||
{"https://def.abc.com/callback", ".abc.com/", true},
|
||||
{"https://deep.app.example.com/callback", "https://example.com/callback", true},
|
||||
|
||||
// Full URL pattern: unrelated host must not match
|
||||
{"https://evil.com/callback", "https://example.com/callback", false},
|
||||
// Suffix collision: evilexample.com must not match example.com
|
||||
{"https://evilexample.com/callback", "https://example.com/callback", false},
|
||||
|
||||
// Full URL pattern: scheme mismatch
|
||||
{"http://app.example.com/callback", "https://example.com/callback", false},
|
||||
|
||||
// Full URL pattern: path mismatch
|
||||
{"https://app.example.com/other", "https://example.com/callback", false},
|
||||
|
||||
// Scheme-less pattern: exact host
|
||||
{"https://login.example.com/callback", "login.example.com/callback", true},
|
||||
{"http://login.example.com/callback", "login.example.com/callback", true},
|
||||
|
||||
// Scheme-less pattern: subdomain of configured host
|
||||
{"https://app.login.example.com/callback", "login.example.com/callback", true},
|
||||
|
||||
// Scheme-less pattern: unrelated host must not match
|
||||
{"https://evil.com/callback", "login.example.com/callback", false},
|
||||
|
||||
// Scheme-less pattern: query-string injection must not match
|
||||
{"https://evil.com/?r=https://login.example.com/callback", "login.example.com/callback", false},
|
||||
{"https://evil.com/page?redirect=https://login.example.com/callback", "login.example.com/callback", false},
|
||||
|
||||
// Scheme-less pattern: path mismatch
|
||||
{"https://login.example.com/other", "login.example.com/callback", false},
|
||||
|
||||
// Scheme-less pattern: non-http scheme must not match
|
||||
{"ftp://login.example.com/callback", "login.example.com/callback", false},
|
||||
|
||||
// Empty target
|
||||
{"https://login.example.com/callback", "", false},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
got := redirectUriMatchesPattern(tt.redirectUri, tt.targetUri)
|
||||
if got != tt.want {
|
||||
t.Errorf("redirectUriMatchesPattern(%q, %q) = %v, want %v", tt.redirectUri, tt.targetUri, got, tt.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user