Limit url to local path (#20025)

This commit is contained in:
stonezdj(Daojun Zhang) 2024-02-24 09:34:30 +08:00 committed by GitHub
parent 056c41fd80
commit 5b832c1724
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 28 additions and 1 deletions

View File

@ -332,3 +332,8 @@ func MostMatchSorter(a, b string, matchWord string) bool {
} }
return len(a) < len(b) return len(a) < len(b)
} }
// IsLocalPath checks if path is local
func IsLocalPath(path string) bool {
return strings.HasPrefix(path, "/") && !strings.HasPrefix(path, "//")
}

View File

@ -486,3 +486,25 @@ func TestValidateCronString(t *testing.T) {
} }
} }
} }
func TestIsLocalPath(t *testing.T) {
type args struct {
path string
}
tests := []struct {
name string
args args
want bool
}{
{"normal test", args{"/harbor/project"}, true},
{"failed", args{"www.myexample.com"}, false},
{"other_site1", args{"//www.myexample.com"}, false},
{"other_site2", args{"https://www.myexample.com"}, false},
{"other_site", args{"http://www.myexample.com"}, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
assert.Equalf(t, tt.want, IsLocalPath(tt.args.path), "IsLocalPath(%v)", tt.args.path)
})
}
}

View File

@ -64,7 +64,7 @@ func (oc *OIDCController) RedirectLogin() {
return return
} }
redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url") redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
if strings.HasPrefix(redirectURL, "//") { if !utils.IsLocalPath(redirectURL) {
log.Errorf("invalid redirect url: %v", redirectURL) log.Errorf("invalid redirect url: %v", redirectURL)
oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site")) oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
return return