fix(auth): reject control chars in OAuth callback next param
Defense-in-depth against header injection if the post-login redirect target ever reaches a context that doesn't re-encode it. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -8,6 +8,12 @@ import { createClient } from "@/lib/supabase/server";
|
|||||||
function safeNext(raw: string | null): string {
|
function safeNext(raw: string | null): string {
|
||||||
if (!raw || !raw.startsWith("/")) return "/";
|
if (!raw || !raw.startsWith("/")) return "/";
|
||||||
if (raw.startsWith("//") || raw.startsWith("/\\")) return "/";
|
if (raw.startsWith("//") || raw.startsWith("/\\")) return "/";
|
||||||
|
// Reject control chars (CR/LF etc.) — defense-in-depth against header
|
||||||
|
// injection if `next` ever reaches a context that doesn't re-encode it.
|
||||||
|
for (let i = 0; i < raw.length; i++) {
|
||||||
|
const code = raw.charCodeAt(i);
|
||||||
|
if (code < 0x20 || code === 0x7f) return "/";
|
||||||
|
}
|
||||||
return raw;
|
return raw;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user