mirror of
https://github.com/agent0ai/agent-zero.git
synced 2026-07-10 01:18:29 +00:00
fix(security): prevent open redirect on login redirect
Login redirect responses are followed without validating the target origin. An attacker who can influence the redirect URL could send users to a malicious domain. Add origin validation before following the redirect in both fetchApi() and getCsrfToken() — only follow if the redirect URL origin matches window.location.origin. Severity: Medium
This commit is contained in:
parent
27730153ac
commit
da24eb04e0
1 changed files with 10 additions and 4 deletions
|
|
@ -129,8 +129,11 @@ export async function fetchApi(url, request) {
|
|||
csrfToken = null;
|
||||
return await _wrap(false);
|
||||
} else if (finalResponse.redirected && finalResponse.url.endsWith("/login")) {
|
||||
// redirect to login
|
||||
window.location.href = finalResponse.url;
|
||||
// redirect to login (origin check prevents open redirect)
|
||||
const _redirectUrl = new URL(finalResponse.url);
|
||||
if (_redirectUrl.origin === window.location.origin) {
|
||||
window.location.href = finalResponse.url;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -218,8 +221,11 @@ export async function getCsrfToken() {
|
|||
}
|
||||
|
||||
if (response.redirected && response.url.endsWith("/login")) {
|
||||
// redirect to login
|
||||
window.location.href = response.url;
|
||||
// redirect to login (origin check prevents open redirect)
|
||||
const _redirectUrl = new URL(response.url);
|
||||
if (_redirectUrl.origin === window.location.origin) {
|
||||
window.location.href = response.url;
|
||||
}
|
||||
return;
|
||||
}
|
||||
const json = await response.json();
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue