From d9fe1cba4c3eb845038b54384a04829416debe9e Mon Sep 17 00:00:00 2001 From: Muhammad Bilal Khan Date: Mon, 24 Nov 2025 00:01:18 +0500 Subject: [PATCH] refs #401: added URL restriction protection --- ee/wcp/cefsimple/simple_handler.h | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/ee/wcp/cefsimple/simple_handler.h b/ee/wcp/cefsimple/simple_handler.h index f4aff693..932c64b3 100644 --- a/ee/wcp/cefsimple/simple_handler.h +++ b/ee/wcp/cefsimple/simple_handler.h @@ -14,6 +14,9 @@ #include #include +#include +#include +#include #include "crypt.h" #define OAUTH_CHALLENGE_LEN 64 @@ -29,6 +32,11 @@ // https://windows-cred-provider.pr.test.goauthentik.io const std::string g_strTokenEndpoint = "/application/o/token/"; +// Allowed base URLs (ensure lower case) +const std::vector g_vecAllowedBaseURLs = { + "https://windows-cred-provider.pr.test.goauthentik.io", + "https://static.cloudflareinsights.com" +}; class SimpleHandler : public CefClient, public CefDisplayHandler, @@ -113,6 +121,34 @@ class SimpleHandler : public CefClient, const std::string strKey = "goauthentik.io://"; std::string strURL = request->GetURL().ToString(); Debug(strURL.c_str()); + + // Base URL restriction protection + { + bool bURLValid = false; + std::string strURLLowerCase = strURL; + std::transform( + strURLLowerCase.begin(), strURLLowerCase.end(), + strURLLowerCase.begin(), + [] (const unsigned char c) { return std::tolower(c); } + ); + for (const auto& it : g_vecAllowedBaseURLs) + { + if (strURLLowerCase.length() >= it.length()) + { + if (strURLLowerCase.substr(0, it.length()) == it) + { + bURLValid = true; + break; + } + } + } + if (! bURLValid) + { + Debug(std::string("Unauthorized URL request. Skip: " + strURL).c_str()); + return RV_CANCEL; + } + } + if (strURL.length() >= strKey.length()) { if (strURL.substr(0, strKey.length()) == strKey)