refactor login flow to use context path for redirects and enhance path normalization to prevent traversal bypasses

2026-03-17 22:36:17 +00:00 · 2026-03-16 19:47:48 -03:00
parent bf1991457a
commit 76048593f1
2 changed files with 8 additions and 5 deletions
--- a/containers/auth-gateway/auth_gateway/services/resolver.py
+++ b/containers/auth-gateway/auth_gateway/services/resolver.py
@@ -1,3 +1,4 @@
+import posixpath
 from dataclasses import dataclass
 from urllib.parse import unquote, urlsplit

@@ -22,7 +23,9 @@ def normalize_host(raw_host: str) -> str:
 def normalize_path(raw_uri: str) -> str:
    parsed = urlsplit(raw_uri or "/")
    path = unquote(parsed.path or "/")
-    return path if path.startswith("/") else f"/{path}"
+    path = path if path.startswith("/") else f"/{path}"
+    # Resolve any .. or . segments to prevent path traversal bypasses
+    return posixpath.normpath(path)


 def _path_matches(path: str, prefix: str) -> bool: