fix(auth): reject control chars in OAuth callback next param

Defense-in-depth against header injection if the post-login redirect
target ever reaches a context that doesn't re-encode it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
yuanzonghao
2026-06-13 23:19:44 +08:00
parent 89a5c54065
commit 11f5ca83ec
+6
View File
@@ -8,6 +8,12 @@ import { createClient } from "@/lib/supabase/server";
function safeNext(raw: string | null): string {
if (!raw || !raw.startsWith("/")) return "/";
if (raw.startsWith("//") || raw.startsWith("/\\")) return "/";
// Reject control chars (CR/LF etc.) — defense-in-depth against header
// injection if `next` ever reaches a context that doesn't re-encode it.
for (let i = 0; i < raw.length; i++) {
const code = raw.charCodeAt(i);
if (code < 0x20 || code === 0x7f) return "/";
}
return raw;
}