egg-security icon indicating copy to clipboard operation
egg-security copied to clipboard

Published 20 hours ago verified publisher icon eggjs

不安全地址补充

Open TangTang25 opened this issue 1 year ago • 2 comments

类似https://test.github.com\@baidu.com这样的地址是不安全的,在domainWhiteList里添加了test.github.com之后还是会redirect,实际上跳转到了baidu.com,希望加上对pathname的过滤

TangTang25 avatar Feb 19 '24 06:02 TangTang25

可以来提交一个 pr 修复?

fengmk2 avatar Feb 19 '24 10:02 fengmk2

https://github.com\\@baidu.com 并不会跳转到 baidu.com ? 你说的这个问题是怎样重现的?

fengmk2 avatar Feb 19 '24 10:02 fengmk2

复现了。

fengmk2 avatar Mar 15 '24 05:03 fengmk2

http://github.com\@baidu.com 通过 ctx.redirect('http://github.com\\@baidu.com') 之后会响应经过转码之后的 location,从而导致浏览器跳转到了 baidu.com

< location: http://github.com%[email protected]

fengmk2 avatar Mar 15 '24 05:03 fengmk2

https://github.com/koajs/koa/pull/1803

fengmk2 avatar Mar 15 '24 06:03 fengmk2