Skip to content

fix: only allow back redirect to the same origin referer #1898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 29, 2025
Merged

fix: only allow back redirect to the same origin referer #1898

merged 2 commits into from
Jul 29, 2025

Conversation

fengmk2
Copy link
Member

@fengmk2 fengmk2 commented Jul 29, 2025

@fengmk2 fengmk2 requested a review from Copilot July 29, 2025 23:53
Copilot
Copilot AI reviewed Jul 29, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request fixes a security vulnerability related to redirect handling in Koa.js by restricting "back" redirects to only allow same-origin referrers, preventing potential open redirect attacks.

Key changes:

  • Adds validation logic to check if referrer URLs are from the same origin before allowing redirects
  • Introduces a new private method _getBackReferrer() to safely handle referrer validation
  • Updates tests to verify the new same-origin validation behavior

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
lib/response.js Implements same-origin validation for "back" redirects with new _getBackReferrer() method
tests/response/redirect.js Adds test cases to verify same-origin referrer validation works correctly

@fengmk2 fengmk2 merged commit c02f188 into v2.x Jul 29, 2025
13 checks passed
@fengmk2 fengmk2 deleted the fix-open-redirect branch July 29, 2025 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fengmk2