umputun / remark42 / 24751384141

84%

master: 84%

Build Type

Pull #2049

github

Committed by paskal

Commit Message

fix(auth): normalise AllowedRedirectHosts entries + add unit test

Address Copilot review on PR #2049. The previous closure passed raw
s.AllowedHosts entries straight to the auth library, but --allowed-hosts
holds CSP frame-ancestors source expressions: scheme-prefixed values
(https://blog.example.com), entries with ports, and wildcards
(*.cdn.example.com) are all valid there but the auth library compares
against u.Hostname() and would silently drop them — breaking legitimate
redirects on multi-host deployments.

Extract getAllowedRedirectHosts that:
* trims whitespace, drops empty / 'self' / "self" / wildcard entries
* prepends https:// if scheme missing then url.Parse to extract Hostname
* logs a warning on parse failure rather than poisoning the allowlist

Wire the closure in getAuthenticator to call the helper.

Test_getAllowedRedirectHosts covers all the edge cases Copilot flagged
(scheme stripping, port handling, self spellings, wildcards, empty,
mixed real-world).

Pull Request Pull Request #2049: fix(auth): close OAuth open-redirect by wiring AllowedRedirectHosts

Coverage Stats

22 of 26 new or added lines in 2 files covered. (84.62%)

87 existing lines in 1 file now uncovered.

6261 of 7432 relevant lines covered (84.24%)

34.36 hits per line