Skip to content

Commit 0ab3ad6

Browse files
author
Arun Philip
committed
fix: restore isDangerousScheme redirect URI validation
1 parent 87eb105 commit 0ab3ad6

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

server/ui.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -364,12 +364,31 @@ func (s *IDPServer) renderFormSuccess(w http.ResponseWriter, r *http.Request, da
364364
}
365365
}
366366

367+
// isDangerousScheme returns true if the scheme should not be allowed
368+
// in OAuth redirect URIs due to security risks.
369+
// The reason for not simply allowlisting http/https is that some native apps can handle
370+
// special scheme prefixes as an intentional integration.
371+
func isDangerousScheme(scheme string) bool {
372+
switch scheme {
373+
case "ftp", "file", "mailto", "javascript", "data",
374+
"blob", "filesystem", "vbscript", "about",
375+
"chrome", "chrome-extension":
376+
return true
377+
}
378+
return false
379+
}
380+
367381
// validateRedirectURI validates that a redirect URI is well-formed
368382
func validateRedirectURI(redirectURI string) string {
369383
u, err := url.Parse(redirectURI)
370384
if err != nil || u.Scheme == "" {
371385
return "must be a valid URI with a scheme"
372386
}
387+
388+
if isDangerousScheme(u.Scheme) {
389+
return fmt.Sprintf("scheme %q is not allowed", u.Scheme)
390+
}
391+
373392
if u.Scheme == "http" || u.Scheme == "https" {
374393
if u.Host == "" {
375394
return "HTTP and HTTPS URLs must have a host"

0 commit comments

Comments
 (0)