security: validate loginRedirect cookie to prevent open redirect#7923
Merged
NGPixel merged 1 commit intorequarks:mainfrom Feb 12, 2026
Merged
security: validate loginRedirect cookie to prevent open redirect#7923NGPixel merged 1 commit intorequarks:mainfrom
NGPixel merged 1 commit intorequarks:mainfrom
Conversation
The loginRedirect cookie value was used directly in res.redirect() and window.location.replace() without validation, allowing redirection to arbitrary external URLs. Added validation to ensure the redirect target is a relative path before use.
NGPixel
approved these changes
Feb 12, 2026
Member
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability identified and fix provided by Kolega.dev
Open Redirect via loginRedirect Cookie
Location
server/controllers/auth.js:75-86andclient/components/login.vue:646-663Description
The
loginRedirectcookie value is read and used directly inres.redirect()(server-side) andwindow.location.replace()(client-side) without any validation. An attacker can set this cookie to an arbitrary external URL (e.g.,https://evil.com), and when the victim authenticates, they will be redirected to the attacker-controlled site. This enables phishing attacks where the attacker's site mimics the legitimate application to steal credentials or session tokens.While the server sets this cookie legitimately in
common.js:446usingreq.path(which should be a relative path), cookies can be set by JavaScript on the same domain, subdomains if cookie scope allows, or the user's browser directly.Analysis Notes
This is a confirmed open redirect vulnerability with high practical exploitability. The
loginRedirectcookie value is read at line 75 ofauth.jsand passed directly tores.redirect()at line 81 without validation. The same pattern exists inlogin.vueat line 652 withwindow.location.replace().Fix Applied
Added validation to ensure the
loginRedirectcookie value is a safe relative path before using it for redirection. The validation checks that the value starts with/, does not start with//(which would create a protocol-relative URL like//evil.com), and does not contain://(which would allow absolute URLs likehttps://evil.com). If the cookie contains an invalid value, it is cleared and the redirect falls through to the default behavior (authResult.redirector/). The same fix is applied to both the server-side callback handler and the client-side login response handler.Tests/Linters Ran
node_modules/.bin/eslint --format codeframe server/controllers/auth.js client/components/login.vue): Passed with no errors or warningsnode_modules/.bin/pug-lint server/views): Passed with no errorsnode_modules/.bin/jest):server/test/helpers/page.test.jspassed (3/3 tests). The Cypress integration test suite (dev/cypress/integration/setup.spec.js) has pre-existing failures unrelated to this change (Cypress globals not available in Jest runner).Contribution Notes
security.securityOpenRedirectmiddleware inserver/middlewares/security.jsonly strips repeating slashes fromreq.urland does not protect against cookie-based open redirects