Mirrors/wireguard_webadmin
1
0
Fork 0
mirror of https://github.com/eduardogsilva/wireguard_webadmin.git synced 2026-03-17 22:36:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

enhance security by adding cache control headers, validating password length, and rejecting encoded slashes in path processing

Browse Source
This commit is contained in:
Eduardo Silva
2026-03-16 20:36:49 -03:00
parent ca63b87123
commit fb17394099
4 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
containers/auth-gateway/auth_gateway/web/auth_routes.py
View File

@@ -57,6 +57,7 @@ async def auth_check(request: Request):
return re.sub(r"[\r\n\x00]", "", value)
response = PlainTextResponse("OK", status_code=200)
response.headers["Cache-Control"] = "no-store"
if session:
if session.username:
response.headers["X-Auth-User"] = _safe_header(session.username)

9
containers/auth-gateway/auth_gateway/web/login_routes.py
View File

@@ -317,6 +317,7 @@ async def login_oidc_start(request: Request, next: str = "/"):
@router.get("/login/oidc/callback")
@limiter.limit(AUTH_RATE_LIMIT)
async def login_oidc_callback(request: Request, state: str):
runtime_config = get_runtime_config(request)
oidc_state = request.app.state.session_service.consume_oidc_state(state)
@@ -352,10 +353,12 @@ async def login_oidc_callback(request: Request, state: str):
def _safe_redirect_path(url: str | None) -> str:
"""Accept only relative paths to prevent open redirects."""
if not url or "://" in url or not url.startswith("/"):
"""Accept only relative paths to prevent open redirects, including protocol-relative URLs."""
if not url:
return "/"
return url
from urllib.parse import urlsplit
path = urlsplit(url).path or "/"
return path if path.startswith("/") else "/"
def _do_logout(request: Request, next_url: str = "/") -> RedirectResponse: