Skip to content

fix: prevent open redirect in redirect_uri validation#542

Merged
lakhansamani merged 2 commits intomainfrom
fix/open-redirect-redirect-uri
Apr 3, 2026
Merged

fix: prevent open redirect in redirect_uri validation#542
lakhansamani merged 2 commits intomainfrom
fix/open-redirect-redirect-uri

Conversation

@lakhansamani
Copy link
Copy Markdown
Contributor

@lakhansamani lakhansamani commented Apr 3, 2026

Summary

  • Add IsValidRedirectURI() that never accepts * as a blanket pass for redirect URIs (unlike IsValidOrigin used for CORS)
  • When allowed_origins=* (default config), only self-origin redirects are permitted
  • Add redirect_uri validation to /logout and /authorize which previously had none
  • Switch all 7 existing redirect_uri validation sites from IsValidOrigin to IsValidRedirectURI
  • Reject non-HTTP schemes (javascript:, data:, ftp:) in redirect URIs

Affected Endpoints (9 total)

Endpoint Previous State Fix
forgot_password IsValidOrigin (bypassed with *) IsValidRedirectURI
magic_link_login IsValidOrigin (bypassed with *) IsValidRedirectURI
signup IsValidOrigin (bypassed with *) IsValidRedirectURI
invite_members IsValidOrigin (bypassed with *) IsValidRedirectURI
/verify_email IsValidOrigin (bypassed with *) IsValidRedirectURI
/oauth/login IsValidOrigin (bypassed with *) IsValidRedirectURI
/app IsValidOrigin (bypassed with *) IsValidRedirectURI
/logout No validation IsValidRedirectURI
/authorize No validation IsValidRedirectURI

Test plan

  • 16 unit tests for IsValidRedirectURI (wildcard, explicit origins, non-HTTP schemes, port matching)
  • 7 integration tests with SQLite (attacker rejection, self-origin acceptance, default fallback, scheme rejection)
  • Existing IsValidOrigin tests unaffected (CORS behavior unchanged)
  • Full build passes

Fixes #540

@lakhansamani
fix: prevent open redirect in redirect_uri validation (CVE CWE-601)
097b861 
When allowed_origins=* (the default), IsValidOrigin() accepted any URL
as a valid redirect_uri, enabling attackers to steal password reset
tokens, magic link tokens, and OAuth tokens by redirecting users to
attacker-controlled domains.

Add IsValidRedirectURI() that never accepts * as a blanket pass. When
allowed_origins=*, only self-origin redirects are allowed. Also add
redirect_uri validation to /logout and /authorize which had none.

Fixes #540
@lakhansamani
test: add wildcard subdomain tests for IsValidRedirectURI
51ecaa7 
Cover *.example.com patterns, port-specific wildcards, multi-origin
with wildcards, and bypass attempts like example.com.attacker.com.
@lakhansamani lakhansamani merged commit b4ac2f3 into main Apr 3, 2026
@lakhansamani lakhansamani deleted the fix/open-redirect-redirect-uri branch April 3, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Open redirect in redirect_uri validation allows account takeover (CWE-601, CWE-640)

1 participant

@lakhansamani