vrr/agent-zero
2
0
Fork 0
mirror of https://github.com/agent0ai/agent-zero.git synced 2026-05-06 08:01:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge pull request #1143 from Deimos-AI/pr/security-open-redirect

Browse source 
fix(security): harden login redirect with origin validation
This commit is contained in:
Jan Tomášek 2026-03-09 15:36:05 +01:00 committed by GitHub
commit 61e4daef08
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
webui/js/api.js
View file

@ -129,8 +129,11 @@ export async function fetchApi(url, request) {
csrfToken = null;
return await _wrap(false);
} else if (finalResponse.redirected && finalResponse.url.endsWith("/login")) {
// redirect to login
window.location.href = finalResponse.url;
// redirect to login (origin check prevents open redirect)
const _redirectUrl = new URL(finalResponse.url);
if (_redirectUrl.origin === window.location.origin) {
window.location.href = finalResponse.url;
}
return;
}
@ -218,8 +221,11 @@ export async function getCsrfToken() {
}
if (response.redirected && response.url.endsWith("/login")) {
// redirect to login
window.location.href = response.url;
// redirect to login (origin check prevents open redirect)
const _redirectUrl = new URL(response.url);
if (_redirectUrl.origin === window.location.origin) {
window.location.href = response.url;
}
return;
}
const json = await response.json();