mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-11 18:38:14 +01:00
Limit url to local path (#20025)
This commit is contained in:
parent
056c41fd80
commit
5b832c1724
@ -332,3 +332,8 @@ func MostMatchSorter(a, b string, matchWord string) bool {
|
||||
}
|
||||
return len(a) < len(b)
|
||||
}
|
||||
|
||||
// IsLocalPath checks if path is local
|
||||
func IsLocalPath(path string) bool {
|
||||
return strings.HasPrefix(path, "/") && !strings.HasPrefix(path, "//")
|
||||
}
|
||||
|
@ -486,3 +486,25 @@ func TestValidateCronString(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsLocalPath(t *testing.T) {
|
||||
type args struct {
|
||||
path string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want bool
|
||||
}{
|
||||
{"normal test", args{"/harbor/project"}, true},
|
||||
{"failed", args{"www.myexample.com"}, false},
|
||||
{"other_site1", args{"//www.myexample.com"}, false},
|
||||
{"other_site2", args{"https://www.myexample.com"}, false},
|
||||
{"other_site", args{"http://www.myexample.com"}, false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
assert.Equalf(t, tt.want, IsLocalPath(tt.args.path), "IsLocalPath(%v)", tt.args.path)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
@ -64,7 +64,7 @@ func (oc *OIDCController) RedirectLogin() {
|
||||
return
|
||||
}
|
||||
redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
|
||||
if strings.HasPrefix(redirectURL, "//") {
|
||||
if !utils.IsLocalPath(redirectURL) {
|
||||
log.Errorf("invalid redirect url: %v", redirectURL)
|
||||
oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
|
||||
return
|
||||
|
Loading…
Reference in New Issue
Block a user