Skip to content

Potential fix for code scanning alert no. 47: URL redirection from remote source#108

Merged
meraedit merged 2 commits into
masterfrom
alert-autofix-47
Jul 2, 2026
Merged

Potential fix for code scanning alert no. 47: URL redirection from remote source#108
meraedit merged 2 commits into
masterfrom
alert-autofix-47

Conversation

@meraedit

@meraedit meraedit commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Potential fix for https://github.com/Servoy/servoy-eclipse/security/code-scanning/47

Best fix: ensure the redirect target is strictly a relative in-app path and reject any absolute/protocol-relative/newline-injected values before calling sendRedirect.

In com.servoy.eclipse.ngclient.ui/src/com/servoy/eclipse/ngclient/ui/IndexPageFilter.java, replace the current line 141 redirect construction with:

  1. Build the base path from request.getRequestURI().replace("/svy_oauth", "").
  2. Build the full target with optional query string.
  3. Validate target is safe:
    • starts with /
    • does not start with //
    • does not contain \r or \n
    • does not contain "://" (absolute URL indicator)
  4. If validation fails, redirect to a safe local fallback (for example, the sanitized base path or /).
  5. Otherwise redirect to the validated target.

No new dependencies are needed; no import changes are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…mote source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
… remote source'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@meraedit meraedit marked this pull request as ready for review July 2, 2026 12:10
@meraedit meraedit merged commit 1c6df13 into master Jul 2, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants