Fix open redirect vulnerability on login screen (#4312)

* Fix open redirect vulnerability on login screen Signed-off-by: Jonas Franz <info@jonasfranz.software> * Reorder imports Signed-off-by: Jonas Franz <info@jonasfranz.software> * Replace www. from Domain too Signed-off-by: Jonas Franz <info@jonasfranz.software>
2025-10-31 19:06:18 +01:00 · 2018-06-26 16:45:18 +02:00
parent b8c2420ae2
commit 801843b011
3 changed files with 50 additions and 1 deletions
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@@ -7,6 +7,8 @@ package util
 import (
 	"testing"

+	"code.gitea.io/gitea/modules/setting"
+
 	"github.com/stretchr/testify/assert"
 )

@@ -42,3 +44,36 @@ func TestURLJoin(t *testing.T) {
 		assert.Equal(t, test.Expected, URLJoin(test.Base, test.Elements...))
 	}
 }
+
+func TestIsExternalURL(t *testing.T) {
+	setting.Domain = "try.gitea.io"
+	type test struct {
+		Expected bool
+		RawURL   string
+	}
+	newTest := func(expected bool, rawURL string) test {
+		return test{Expected: expected, RawURL: rawURL}
+	}
+	for _, test := range []test{
+		newTest(false,
+			"https://try.gitea.io"),
+		newTest(true,
+			"https://example.com/"),
+		newTest(true,
+			"//example.com"),
+		newTest(true,
+			"http://example.com"),
+		newTest(false,
+			"a/"),
+		newTest(false,
+			"https://try.gitea.io/test?param=false"),
+		newTest(false,
+			"test?param=false"),
+		newTest(false,
+			"//try.gitea.io/test?param=false"),
+		newTest(false,
+			"/hey/hey/hey#3244"),
+	} {
+		assert.Equal(t, test.Expected, IsExternalURL(test.RawURL))
+	}
+}