From fa6b13871f4d9aaf531d91cc415f6896a311e331 Mon Sep 17 00:00:00 2001 From: Shijun Sun <30999793+AllForNothing@users.noreply.github.com> Date: Fri, 23 Feb 2024 13:32:46 +0800 Subject: [PATCH 1/2] Remove redundant file package-lock.json under src folder (#20007) Signed-off-by: Shijun Sun <373492212@qq.com> Co-authored-by: MinerYang --- package-lock.json | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 package-lock.json diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index a23291ee73a..00000000000 --- a/package-lock.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "harbor", - "lockfileVersion": 3, - "requires": true, - "packages": {} -} From 54819ba8cd973e77505843424bd86e836b3442ea Mon Sep 17 00:00:00 2001 From: "stonezdj(Daojun Zhang)" Date: Fri, 23 Feb 2024 15:40:13 +0800 Subject: [PATCH 2/2] Limit url to local site (#20013) Signed-off-by: stonezdj Co-authored-by: stonezdj --- src/core/controllers/oidc.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/core/controllers/oidc.go b/src/core/controllers/oidc.go index 9987867845b..c929676c225 100644 --- a/src/core/controllers/oidc.go +++ b/src/core/controllers/oidc.go @@ -63,7 +63,13 @@ func (oc *OIDCController) RedirectLogin() { oc.SendInternalServerError(err) return } - if err := oc.SetSession(redirectURLKey, oc.Ctx.Request.URL.Query().Get("redirect_url")); err != nil { + redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url") + if strings.HasPrefix(redirectURL, "//") { + log.Errorf("invalid redirect url: %v", redirectURL) + oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site")) + return + } + if err := oc.SetSession(redirectURLKey, redirectURL); err != nil { log.Errorf("failed to set session for key: %s, error: %v", redirectURLKey, err) oc.SendInternalServerError(err) return