Skip to content

fix(authentication-oauth): Use actual URL origin comparison for origin check #3676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daffl merged 2 commits into from
Mar 21, 2026
+41 −9
Merged

fix(authentication-oauth): Use actual URL origin comparison for origin check #3676

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3ffd075
fix(authentication-oauth): Use actual URL origin comparison for origi…
daffl Mar 19, 2026
3fd26b5
Nits
daffl Mar 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 41 additions & 9 deletions packages/authentication-oauth/src/strategy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,45 @@ import qs from 'qs'

const debug = createDebug('@feathersjs/authentication-oauth/strategy')

/**
* Validates that appending a user-supplied path to a base URL does not change the origin.
* Uses both URL resolution and string concatenation checks to catch all open redirect vectors:
* authority injection (@), protocol-relative (//), backslash, and domain suffix attacks.
*
* @throws NotAuthenticated if the redirect path would change the URL origin
*/
function validateRedirectOrigin(baseUrl: string, redirectPath: string) {
let allowedOrigin: string

try {
allowedOrigin = new URL(baseUrl).origin
} catch {
// baseUrl is a relative path (e.g. /home) — no open redirect risk
return
}

try {
// URL resolution catches protocol-relative (//) and backslash attacks
// e.g. new URL('//attacker.com', 'https://target.com') → https://attacker.com
const resolvedUrl = new URL(redirectPath, baseUrl)

if (resolvedUrl.origin !== allowedOrigin) {
throw new NotAuthenticated('Invalid redirect path.')
}

// String concatenation check catches domain suffix attacks
// e.g. 'https://target.com' + '.evil.com' → https://target.com.evil.com
const concatenatedUrl = new URL(`${baseUrl}${redirectPath}`)

if (concatenatedUrl.origin !== allowedOrigin) {
throw new NotAuthenticated('Invalid redirect path.')
}
} catch (error: any) {
if (error instanceof NotAuthenticated) throw error
throw new NotAuthenticated('Invalid redirect path.')
}
}

export interface OAuthProfile {
id?: string | number
[key: string]: any
Expand Down Expand Up @@ -105,15 +144,8 @@ export class OAuthStrategy extends AuthenticationBaseStrategy {
return null
}

// Validate redirect parameter to prevent open redirect via URL authority injection
// Only allow relative paths starting with / to prevent:
// - @attacker.com -> https://target.com@attacker.com (authority injection)
// - .attacker.com -> https://target.com.attacker.com (domain suffix attack)
// - -attacker.com -> https://target.com-attacker.com (domain suffix attack)
// - //attacker.com -> protocol-relative redirect
// - \attacker.com -> backslash redirect
if (queryRedirect && (!/^\//.test(queryRedirect) || /[@\\]|\/\//.test(queryRedirect))) {
throw new NotAuthenticated('Invalid redirect path.')
if (queryRedirect) {
validateRedirectOrigin(redirect, queryRedirect)
}

const redirectUrl = `${redirect}${queryRedirect}`
Expand Down
Loading