github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-19 05:57:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): prevent open redirect via callback_ui (#3844)

Browse Source 
Validate callback_ui and default invalid values to /.
Allow absolute callback_ui only when its origin is allowlisted via http.auth.openid.callbackAllowOrigins (and externalUrl).
Add/adjust unit + controller tests and update examples/docs for relative vs allowlisted absolute redirect

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
This commit is contained in:
Andrei Aaron
2026-03-08 08:13:16 +02:00
committed by GitHub
parent 6f67fcdf8f
commit 9425ca8b7d
10 changed files with 368 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/constants/consts.go
+2
View File
@@ -22,6 +22,8 @@ const (
SessionClientHeaderValue = "zot-ui"
APIKeysPrefix = "zak_"
CallbackUIQueryParam = "callback_ui"
SchemeHTTP = "http"
SchemeHTTPS = "https"
APIKeyTimeFormat = time.RFC3339
// CreatePermission is an authz permission for create actions.
CreatePermission = "create"