Merge branch 'main' into dependabot/go_modules/src/github.com/aliyun/…

…alibaba-cloud-sdk-go-1.62.680
goharbor · Feb 23, 2024 · dd89a19 · dd89a19
2 parents a010528 + 54819ba
commit dd89a19
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/core/controllers/oidc.go b/src/core/controllers/oidc.go
@@ -63,7 +63,13 @@ func (oc *OIDCController) RedirectLogin() {
 		oc.SendInternalServerError(err)
 		return
 	}
-	if err := oc.SetSession(redirectURLKey, oc.Ctx.Request.URL.Query().Get("redirect_url")); err != nil {
+	redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
+	if strings.HasPrefix(redirectURL, "//") {
+		log.Errorf("invalid redirect url: %v", redirectURL)
+		oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
+		return
+	}
+	if err := oc.SetSession(redirectURLKey, redirectURL); err != nil {
 		log.Errorf("failed to set session for key: %s, error: %v", redirectURLKey, err)
 		oc.SendInternalServerError(err)
 		return