From 11f5ca83ec384cd5d82d5ebf56c6a08d7a147bc5 Mon Sep 17 00:00:00 2001 From: yuanzonghao Date: Sat, 13 Jun 2026 23:19:44 +0800 Subject: [PATCH] fix(auth): reject control chars in OAuth callback next param Defense-in-depth against header injection if the post-login redirect target ever reaches a context that doesn't re-encode it. Co-Authored-By: Claude Fable 5 --- app/auth/callback/route.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/auth/callback/route.ts b/app/auth/callback/route.ts index a365673..d9e1ab6 100644 --- a/app/auth/callback/route.ts +++ b/app/auth/callback/route.ts @@ -8,6 +8,12 @@ import { createClient } from "@/lib/supabase/server"; function safeNext(raw: string | null): string { if (!raw || !raw.startsWith("/")) return "/"; if (raw.startsWith("//") || raw.startsWith("/\\")) return "/"; + // Reject control chars (CR/LF etc.) — defense-in-depth against header + // injection if `next` ever reaches a context that doesn't re-encode it. + for (let i = 0; i < raw.length; i++) { + const code = raw.charCodeAt(i); + if (code < 0x20 || code === 0x7f) return "/"; + } return raw; }