feat: properly handle redirect url fragments and unusual hostnames

hf · hf · commit 0abba96bcc2c · 2025-10-13T12:25:18.000+02:00
diff --git a/internal/api/verify_test.go b/internal/api/verify_test.go
@@ -657,6 +657,20 @@ func (ts *VerifyTestSuite) TestVerifySignupWithRedirectURLContainedPath() {
 			requestredirectURL:  "http://test.dev:3000/bar/foo",
 			expectedredirectURL: "http://localhost:3000",
 		},
+		{
+			desc:                "redirect ignores fragment for validation",
+			siteURL:             "http://localhost:3000",
+			uriAllowList:        []string{"http://*.example.com/*"},
+			requestredirectURL:  "http://something#.example.com/abc",
+			expectedredirectURL: "http://localhost:3000",
+		},
+		{
+			desc:                "redirect ignores unusual hostnames",
+			siteURL:             "http://localhost:3000",
+			uriAllowList:        []string{"http://*.example.com/*"},
+			requestredirectURL:  "http://japanese。.example.com/abc",
+			expectedredirectURL: "http://localhost:3000",
+		},
 	}
 
 	for _, tC := range testCases {
diff --git a/internal/utilities/request.go b/internal/utilities/request.go
@@ -81,6 +81,7 @@ func GetReferrer(r *http.Request, config *conf.GlobalConfiguration) string {
 }
 
 var decimalIPAddressPattern = regexp.MustCompile("^[0-9]+$")
+var regularHostname = regexp.MustCompile("^[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?$")
 
 func IsRedirectURLValid(config *conf.GlobalConfiguration, redirectURL string) bool {
 	if redirectURL == "" {
@@ -105,11 +106,17 @@ func IsRedirectURLValid(config *conf.GlobalConfiguration, redirectURL string) bo
 		return false
 	} else if ip := net.ParseIP(refurl.Hostname()); ip != nil {
 		return ip.IsLoopback()
+	} else if !regularHostname.MatchString(refurl.Hostname()) {
+		// hostname uses characters that are not typically used
+		return false
 	}
 
 	// For case when user came from mobile app or other permitted resource - redirect back
 	for _, pattern := range config.URIAllowListMap {
-		if pattern.Match(redirectURL) {
+		// only match without the fragment
+		matchAgainst, _, _ := strings.Cut(redirectURL, "#")
+
+		if pattern.Match(matchAgainst) {
 			return true
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ func GetReferrer(r http.Request, config conf.GlobalConfiguration) string {`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`var decimalIPAddressPattern = regexp.MustCompile("^[0-9]+$")`
	`84`	`+var regularHostname = regexp.MustCompile("^[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?$")`
`84`	`85`
`85`	`86`	`func IsRedirectURLValid(config *conf.GlobalConfiguration, redirectURL string) bool {`
`86`	`87`	`if redirectURL == "" {`
`@@ -105,11 +106,17 @@ func IsRedirectURLValid(config *conf.GlobalConfiguration, redirectURL string) bo`
`105`	`106`	`return false`
`106`	`107`	`} else if ip := net.ParseIP(refurl.Hostname()); ip != nil {`
`107`	`108`	`return ip.IsLoopback()`
	`109`	`+ } else if !regularHostname.MatchString(refurl.Hostname()) {`
	`110`	`+ // hostname uses characters that are not typically used`
	`111`	`+ return false`
`108`	`112`	`}`
`109`	`113`
`110`	`114`	`// For case when user came from mobile app or other permitted resource - redirect back`
`111`	`115`	`for _, pattern := range config.URIAllowListMap {`
`112`		`- if pattern.Match(redirectURL) {`
	`116`	`+ // only match without the fragment`
	`117`	`+ matchAgainst, _, _ := strings.Cut(redirectURL, "#")`
	`118`	`+`
	`119`	`+ if pattern.Match(matchAgainst) {`
`113`	`120`	`return true`
`114`	`121`	`}`
`115`	`122`	`}`