Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: mitigate allowed redirect domain bypass #174

Merged
merged 1 commit into from
May 12, 2024
Merged

fix: mitigate allowed redirect domain bypass #174

merged 1 commit into from
May 12, 2024

Conversation

mccutchen
Copy link
Owner

Before this change, it was possible to bypass go-httpbin's allowed redirect domain configuration by passing an absolute URL without a scheme (e.g. //evil.com) to the /redirect-to endpoint.

Fixes #173.

@mccutchen
fix: mitigate allowed redirect domain bypass
5f35430 
Before this change, it was possible to bypass go-httpbin's allowed
redirect domain configuration by passing an absolute URL without a
scheme (e.g. `//evil.com`) to the `/redirect-to` endpoint.

Fixes #173.
github-advanced-security[bot]
github-advanced-security bot found potential problems May 12, 2024
View reviewed changes
httpbin/handlers.go Dismissed Show dismissed Hide dismissed
@codecov Codecov
Copy link

codecov bot commented May 12, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.04%. Comparing base (8f905de) to head (5f35430).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #174   +/-   ##
=======================================
  Coverage   95.04%   95.04%           
=======================================
  Files          10       10           
  Lines        2179     2179           
=======================================
  Hits         2071     2071           
  Misses         74       74           
  Partials       34       34
Files Coverage Δ
httpbin/handlers.go 99.57% <100.00%> (ø)

@mccutchen mccutchen merged commit 874932b into main May 12, 2024
7 checks passed
@mccutchen mccutchen deleted the absolute-redirects branch May 12, 2024 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Strengthen check for absolute redirect
1 participant
@mccutchen