GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 11:25:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: Validate host parameter stored in OAuth state on failure redirect (#11956)

Browse Source 
* fix: Validate host parameter stored in OAuth state on auth failure path

* fix: Validate OAuth state host to prevent open redirect

Sanitize the host parameter from OAuth state before using it in error
redirects. Adds userinfo stripping to parseDomain's normalizeUrl to
prevent bypasses like "subdomain.base@evil.com", validates custom
domains against registered teams, and introduces Team.findByDomain
with input normalization for consistent domain lookups.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Tom Moor
2026-04-04 16:13:54 -04:00
committed by GitHub
parent a411e08f1f
commit d4dec42bc5
9 changed files with 144 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/email/server/auth/email.ts
+1 -1
View File
@@ -34,7 +34,7 @@ router.post(
team = await Team.scope("withAuthenticationProviders").findOne();
} else if (domain.custom) {
team = await Team.scope("withAuthenticationProviders").findOne({
where: { domain: domain.host },
where: { domain: domain.host.toLowerCase() },
});
} else if (domain.teamSubdomain) {
team = await Team.scope("withAuthenticationProviders").findOne({