Skip to content

🔒 Fix Potential Open Redirect in Auth Router #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sunnylqm wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🔒 Fix Potential Open Redirect in Auth Router #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/services/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { md5 } from 'hash-wasm';
import { rootRouterPath, router } from '@/router';
import { api } from '@/services/api';
import { setToken } from '@/services/request';
import { isSafeRedirect } from '@/utils/helper';

let _email = '';
export const setUserEmail = (email: string) => {
Expand All @@ -23,7 +24,9 @@ export async function login(email: string, password: string) {
const loginFrom = new URLSearchParams(window.location.search).get(
'loginFrom',
);
router.navigate(loginFrom || rootRouterPath.user);
router.navigate(
isSafeRedirect(loginFrom) ? loginFrom! : rootRouterPath.user,
);
}
} catch (err) {
const e = err as Error;
Expand Down
35 changes: 34 additions & 1 deletion src/utils/helper.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,38 @@
import { describe, expect, test } from 'bun:test';
import { isExpVersion } from './helper';
import { isExpVersion, isSafeRedirect } from './helper';

describe('isSafeRedirect', () => {
test('should return true for internal paths', () => {
expect(isSafeRedirect('/dashboard')).toBe(true);
expect(isSafeRedirect('/user/profile')).toBe(true);
expect(isSafeRedirect('/')).toBe(true);
});

test('should return false for empty or nullish values', () => {
expect(isSafeRedirect(null)).toBe(false);
expect(isSafeRedirect(undefined)).toBe(false);
expect(isSafeRedirect('')).toBe(false);
});

test('should return false for external URLs', () => {
expect(isSafeRedirect('https://google.com')).toBe(false);
expect(isSafeRedirect('http://malicious.com')).toBe(false);
expect(isSafeRedirect('ftp://server.com')).toBe(false);
});

test('should return false for protocol-relative URLs', () => {
expect(isSafeRedirect('//google.com')).toBe(false);
});

test('should return false for backslash-prefixed paths (potential bypass)', () => {
expect(isSafeRedirect('/\\google.com')).toBe(false);
});

test('should return false for paths that do not start with /', () => {
expect(isSafeRedirect('user/profile')).toBe(false);
expect(isSafeRedirect('javascript:alert(1)')).toBe(false);
});
});

describe('isExpVersion', () => {
test('should return false when config is null', () => {
Expand Down
6 changes: 6 additions & 0 deletions src/utils/helper.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ export const testUrls = async (urls?: string[]) => {
return urls[0];
};

export const isSafeRedirect = (url: string | null | undefined): boolean => {
if (!url) return false;
// Ensure it starts with / and not // or \
return url.startsWith('/') && !url.startsWith('//') && !url.startsWith('/\\');
Comment on lines +69 to +72
Copy link

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Do browser URL parsers / the History API strip ASCII tab or newline characters from URL inputs, and can a decoded path like "/%09/evil.com" or "/%0A/evil.com" normalize to a protocol-relative URL?

💡 Result:

Yes—literal ASCII tab/newline characters in a URL input string are stripped by the WHATWG URL parser (used by modern browsers).

  • The URL Standard’s basic URL parser says that if the input contains any ASCII tab or newline, it’s a validation error, and then it “Remove[s] all ASCII tab or newline from input.” (url.spec.whatwg.org)
  • The History API (history.pushState / replaceState) parses the provided url by running “encoding-parsing a URL” relative to the relevant settings object, which goes through URL parsing (and therefore gets the same tab/newline stripping behavior). (html.spec.whatwg.org)

Can "/%09/evil.com" or "/%0A/evil.com" normalize to a protocol-relative URL?

Not by the browser’s URL parser alone.

  • /%09/evil.com and /%0A/evil.com contain the percent sign + hex digits, not literal tab/newline characters, so the parser’s “strip ASCII tab/newline” step does not remove %09/%0A. (url.spec.whatwg.org)
  • A protocol-relative (scheme-relative) URL requires the parsed input to start with // (e.g. //evil.com). Your examples start with /%09/... or /%0A/..., so they remain ordinary paths.

When could it become protocol-relative?

Only if something percent-decodes first (turning %09 into a literal TAB or %0A into a literal LF) and then the browser parses that decoded string. For example, if an application decodes to the literal string "/\t/evil.com", the URL parser will strip the tab, producing "//evil.com", which is protocol-relative. (url.spec.whatwg.org)

Citations:

🏁 Script executed:

# Find where isSafeRedirect is used to understand the actual attack surface
rg -A 5 'isSafeRedirect' --type ts

Repository: reactnativecn/pushy-admin

Length of output: 3259

🏁 Script executed:

# Get the full context around the isSafeRedirect usage in auth.ts
rg -B 10 -A 5 'isSafeRedirect\(loginFrom\)' src/services/auth.ts

Repository: reactnativecn/pushy-admin

Length of output: 548

Reject ASCII control characters before prefix validation to prevent normalization bypass.

loginFrom is decoded by URLSearchParams, so encoded control characters like %09 (tab) and %0A (newline) reach this validator as literal control characters. The current prefix-only checks pass strings like "/%09/evil.com", but when passed to router.navigate(), the browser's URL parser strips the literal tab per the WHATWG specification, normalizing it to "//evil.com" (a protocol-relative URL) and enabling an open redirect.

🔐 Hardening required 
 export const isSafeRedirect = (url: string | null | undefined): boolean => {
   if (!url) return false;
-  // Ensure it starts with / and not // or \
-  return url.startsWith('/') && !url.startsWith('//') && !url.startsWith('/\\');
+  // Reject characters that URL parsers strip or normalize.
+  if (/[\u0000-\u001F\u007F]/.test(url)) return false;
+  // Only allow app-internal absolute paths.
+  return /^\/(?![\\/])/.test(url);
 };
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/utils/helper.ts` around lines 69 - 72, Reject inputs containing ASCII
control characters before the prefix checks in isSafeRedirect: add an early
validation in the isSafeRedirect function to scan the decoded url string for any
code points in the ASCII control range (0x00–0x1F) or DEL (0x7F) and return
false if any are found (this will catch tabs/newlines like \t or \n). After this
control-character check, keep the existing prefix logic (startsWith('/') and not
starting with '//' or '/\\') so URLs like "/%09/evil.com" (decoded to a literal
tab) are rejected before browser normalization can turn them into
protocol-relative redirects.

};

export const isExpVersion = (
config: VersionConfig | null | undefined,
packageVersion: string,
Expand Down