mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-04-08 03:00:28 -04:00
fix: don't allow open redirects
This commit is contained in:
@@ -1,12 +1,24 @@
|
||||
import getServerSupabase from "@/lib/supabase/getServerSupabase";
|
||||
import { NextResponse } from "next/server";
|
||||
|
||||
// Validate redirect URL to prevent open redirect attacks
|
||||
function validateRedirectUrl(url: string): string {
|
||||
// Only allow relative URLs that start with /
|
||||
if (url.startsWith("/") && !url.startsWith("//")) {
|
||||
return url;
|
||||
}
|
||||
// Default to home page for any invalid URLs
|
||||
return "/";
|
||||
}
|
||||
|
||||
// Handle the callback to complete the user session login
|
||||
export async function GET(request: Request) {
|
||||
const { searchParams, origin } = new URL(request.url);
|
||||
const code = searchParams.get("code");
|
||||
// if "next" is in param, use it as the redirect URL
|
||||
const next = searchParams.get("next") ?? "/";
|
||||
const nextParam = searchParams.get("next") ?? "/";
|
||||
// Validate redirect URL to prevent open redirect attacks
|
||||
const next = validateRedirectUrl(nextParam);
|
||||
|
||||
if (code) {
|
||||
const supabase = getServerSupabase();
|
||||
|
||||
Reference in New Issue
Block a user