TheCloud/anubis
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2025-09-08 04:05:23 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: validate X-Forwarded headers and check redirect domain

Browse Source
This commit is contained in:
nyyu 2025-06-14 08:36:27 +02:00
parent f28426fa4d
commit 3f9d87aabb
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/http.go
View File

@ -69,7 +69,21 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("Authorization required"))
} else {
redir := r.Header.Get("X-Forwarded-Proto") + "://" + r.Header.Get("X-Forwarded-Host") + r.Header.Get("X-Forwarded-Uri")
proto := r.Header.Get("X-Forwarded-Proto")
host := r.Header.Get("X-Forwarded-Host")
uri := r.Header.Get("X-Forwarded-Uri")
if proto == "" || host == "" || uri == "" {
s.respondWithStatus(w, r, "Missing required X-Forwarded-* headers", http.StatusBadRequest)
return
}
// Check if host is allowed in RedirectDomains
if len(s.opts.RedirectDomains) > 0 && !slices.Contains(s.opts.RedirectDomains, host) {
s.respondWithStatus(w, r, "Redirect domain not allowed", http.StatusBadRequest)
return
}
redir := proto + "://" + host + uri
escapedURL := url.QueryEscape(redir)
http.Redirect(w, r, fmt.Sprintf("%s/.within.website/?redir=%s", s.opts.PublicUrl, escapedURL), http.StatusTemporaryRedirect)
}