Skip to content

fix(lib): close open redirect when in subrequest mode #1222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 29, 2025
Merged

fix(lib): close open redirect when in subrequest mode #1222

merged 3 commits into from
Oct 29, 2025

Conversation

@Xe
Copy link
Contributor

@Xe Xe commented Oct 29, 2025

Closes GHSA-cf57-c578-7jvv

Previously Anubis had an open redirect in subrequest auth mode due to an insufficent fix in GHSA-jhjj-2g64-px7c. This patch adds additional validation at several steps of the flow to prevent open redirects in subrequest auth mode as well as implements automated testing to prevent this from occuring in the future.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)
  • All of my commits have verified signatures

Xe added 3 commits October 29, 2025 14:36
@Xe
test(nginx-external-auth): bring up to code standards
cc45c5c 
Signed-off-by: Xe Iaso <[email protected]>
@Xe
fix(lib): close open redirect when in subrequest mode
d9d5d23 
Closes GHSA-cf57-c578-7jvv

Previously Anubis had an open redirect in subrequest auth mode due to an
insufficent fix in GHSA-jhjj-2g64-px7c. This patch adds additional
validation at several steps of the flow to prevent open redirects in
subrequest auth mode as well as implements automated testing to prevent
this from occuring in the future.
@Xe
docs: update CHANGELOG
d6d6e04 
Signed-off-by: Xe Iaso <[email protected]>
@Xe Xe self-assigned this Oct 29, 2025
@Xe
Copy link
Contributor Author

Xe commented Oct 29, 2025

lol anubis tests just failed because of the Azure outage:

 W: Failed to fetch https://packages.microsoft.com/repos/azure-cli/dists/noble/InRelease  Temporary failure resolving 'packages.microsoft.com'
W: Failed to fetch https://packages.microsoft.com/ubuntu/24.04/prod/dists/noble/InRelease  Temporary failure resolving 'packages.microsoft.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Error: listen EADDRINUSE: address already in use :::9001
--- FAIL: TestPlaywrightBrowser (114.72s)
    playwright_test.go:222: running command: npx --yes [email protected] install --with-deps
    playwright_test.go:222: daemonizing command: npx --yes [email protected] run-server --port 9001
    playwright_test.go:576: could not install Playwright: could not install driver: could not install driver: could not download driver from https://playwright.azureedge.net/builds/driver/playwright-1.52.0-linux.zip: Get "https://playwright.azureedge.net/builds/driver/playwright-1.52.0-linux.zip": dial tcp: lookup playwright.azureedge.net on 127.0.0.53:53: read udp 127.0.0.1:34657->127.0.0.53:53: i/o timeout
        could not download driver from https://playwright-akamai.azureedge.net/builds/driver/playwright-1.52.0-linux.zip: Get "https://playwright-akamai.azureedge.net/builds/driver/playwright-1.52.0-linux.zip": dial tcp: lookup playwright-akamai.azureedge.net on 127.0.0.53:53: read udp 127.0.0.1:34522->127.0.0.53:53: i/o timeout
        could not download driver from https://playwright-verizon.azureedge.net/builds/driver/playwright-1.52.0-linux.zip: Get "https://playwright-verizon.azureedge.net/builds/driver/playwright-1.52.0-linux.zip": dial tcp: lookup playwright-verizon.azureedge.net on 127.0.0.53:53: read udp 127.0.0.1:48405->127.0.0.53:53: i/o timeout

@Xe Xe enabled auto-merge (squash) October 29, 2025 20:07
@Xe Xe disabled auto-merge October 29, 2025 20:07
@Xe
Copy link
Contributor Author

Xe commented Oct 29, 2025

Overriding to merge and fix.

@Xe Xe merged commit 7ed1753 into main Oct 29, 2025
14 of 15 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Oct 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Xe Xe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Xe