@@ -0,0 +1,99 @@ |
| | 1 | +// SPDX-License-Identifier: AGPL-3.0-or-later |
| | 2 | + |
| | 3 | +// Package openredirect validates `next=` style redirect targets so a |
| | 4 | +// crafted query parameter can't bounce a logged-in user off-host |
| | 5 | +// (the canonical phishing primitive). The Safe predicate accepts: |
| | 6 | +// |
| | 7 | +// - relative paths starting with a single `/` (not `//`, not `/\`) |
| | 8 | +// - absolute URLs whose host matches an operator-approved allow-list |
| | 9 | +// |
| | 10 | +// Anything else is rejected. Callers fall back to a known-safe default |
| | 11 | +// (typically `/`) on rejection. |
| | 12 | +package openredirect |
| | 13 | + |
| | 14 | +import ( |
| | 15 | + "net/url" |
| | 16 | + "strings" |
| | 17 | +) |
| | 18 | + |
| | 19 | +// Config governs which absolute redirect targets are allowed. The |
| | 20 | +// zero value accepts only relative paths — the safest default for |
| | 21 | +// most surfaces. |
| | 22 | +type Config struct { |
| | 23 | + // AllowedHosts is the exact, case-insensitive host allow-list |
| | 24 | + // for absolute redirect targets. Typical content: the deployment's |
| | 25 | + // canonical hostname plus any apex/www variants. Empty disables |
| | 26 | + // absolute-URL redirects entirely. |
| | 27 | + AllowedHosts []string |
| | 28 | +} |
| | 29 | + |
| | 30 | +// Safe reports whether candidate is a safe redirect target under cfg. |
| | 31 | +// Empty input returns false; callers should pre-screen and substitute |
| | 32 | +// the default themselves. |
| | 33 | +func (cfg Config) Safe(candidate string) bool { |
| | 34 | + if candidate == "" { |
| | 35 | + return false |
| | 36 | + } |
| | 37 | + // Two-leading-slash protocol-relative URLs (`//attacker.tld/x`) |
| | 38 | + // are absolute under the browser's resolution; reject early so a |
| | 39 | + // later relative-path check doesn't accept them. |
| | 40 | + if strings.HasPrefix(candidate, "//") { |
| | 41 | + return false |
| | 42 | + } |
| | 43 | + // Reverse-slash trick (`/\evil.tld`): some browsers normalise the |
| | 44 | + // `\` into `/` and treat the result as protocol-relative. Block. |
| | 45 | + if strings.HasPrefix(candidate, "/\\") { |
| | 46 | + return false |
| | 47 | + } |
| | 48 | + u, err := url.Parse(candidate) |
| | 49 | + if err != nil { |
| | 50 | + return false |
| | 51 | + } |
| | 52 | + // Relative path: scheme empty AND host empty AND starts with `/`. |
| | 53 | + if u.Scheme == "" && u.Host == "" { |
| | 54 | + return strings.HasPrefix(u.Path, "/") |
| | 55 | + } |
| | 56 | + // Absolute URL: scheme must be http(s) and host must be allow-listed. |
| | 57 | + if u.Scheme != "http" && u.Scheme != "https" { |
| | 58 | + return false |
| | 59 | + } |
| | 60 | + host := u.Hostname() |
| | 61 | + if host == "" { |
| | 62 | + return false |
| | 63 | + } |
| | 64 | + for _, h := range cfg.AllowedHosts { |
| | 65 | + if equalFold(h, host) { |
| | 66 | + return true |
| | 67 | + } |
| | 68 | + } |
| | 69 | + return false |
| | 70 | +} |
| | 71 | + |
| | 72 | +// SafeOr returns candidate when Safe(candidate), otherwise fallback. |
| | 73 | +// The single-call convenience for handlers that want to default to |
| | 74 | +// `/` after rejection. |
| | 75 | +func (cfg Config) SafeOr(candidate, fallback string) string { |
| | 76 | + if cfg.Safe(candidate) { |
| | 77 | + return candidate |
| | 78 | + } |
| | 79 | + return fallback |
| | 80 | +} |
| | 81 | + |
| | 82 | +func equalFold(a, b string) bool { |
| | 83 | + if len(a) != len(b) { |
| | 84 | + return false |
| | 85 | + } |
| | 86 | + for i := 0; i < len(a); i++ { |
| | 87 | + ca, cb := a[i], b[i] |
| | 88 | + if 'A' <= ca && ca <= 'Z' { |
| | 89 | + ca += 'a' - 'A' |
| | 90 | + } |
| | 91 | + if 'A' <= cb && cb <= 'Z' { |
| | 92 | + cb += 'a' - 'A' |
| | 93 | + } |
| | 94 | + if ca != cb { |
| | 95 | + return false |
| | 96 | + } |
| | 97 | + } |
| | 98 | + return true |
| | 99 | +} |
