Merge pull request from GHSA-5m6c-jp6f-2vcv

* Add more Open Redirect test cases * Add whitelisted domain to test * Add more test cases * Improve invalid redirect regex
2025-11-29 22:48:19 +02:00 · 2020-06-27 12:07:24 +01:00
parent 1b6c54cae1
commit ee5662e0f5
3 changed files with 641 additions and 1 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -63,7 +63,7 @@ var (

 	// Used to check final redirects are not susceptible to open redirects.
 	// Matches //, /\ and both of these with whitespace in between (eg / / or / \).
-	invalidRedirectRegex = regexp.MustCompile(`^/(\s|\v)?(/|\\)`)
+	invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
 )

 // OAuthProxy is the main authentication proxy