Skip to content

Fix isSafeRedirectUrl host comparison on non-default ports #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lmajano merged 2 commits into from
Jan 14, 2026
Merged

Fix isSafeRedirectUrl host comparison on non-default ports #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
715035e
Initial plan
Copilot Jan 14, 2026
009d388
Fix isSafeRedirectUrl host comparison for non-default ports
Copilot Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion interceptors/Security.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -827,7 +827,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {
}

// Get the current request's host for comparison
var currentHost = variables.cbSecurity.getRealHost();
// Normalize host: urlToValidate.getHost() does not include port
// Strip port from .getRealHost() for compare
var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );

Comment on lines +830 to 833
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using listFirst(..., ':') to extract the hostname will break for IPv6 addresses, which contain multiple colons (e.g., 2001:db8::1:8080 or [2001:db8::1]:8080). When an IPv6 address with port is encountered, this will only return the first segment (e.g., 2001), causing the comparison to fail. Consider using a more robust approach that handles IPv6 addresses by checking for bracketed addresses first, or using listLast() to get the port and then removing it, or using Java's URI parsing capabilities.

Suggested change
// Normalize host: urlToValidate.getHost() does not include port
// Strip port from .getRealHost() for compare
var currentHost = listFirst( variables.cbSecurity.getRealHost(), ":" );
// Normalize host: urlToValidate.getHost() does not include port and supports IPv6
// Use java.net.URI to safely parse .getRealHost() (which may include port and/or IPv6)
var realHost = variables.cbSecurity.getRealHost();
var currentHost = "";
// Ensure we have a scheme so java.net.URI can parse the host correctly
var currentUriString = reFindNoCase( "^[a-z][a-z0-9+.-]*://", realHost )
? realHost
: "http://" & realHost;
try {
var currentUri = createObject( "java", "java.net.URI" ).init( currentUriString );
currentHost = currentUri.getHost();
// Fallback to the raw value if getHost() returned null
if ( isNull( currentHost ) || !len( currentHost ) ) {
currentHost = realHost;
}
} catch ( any ignore ) {
// If parsing fails, fall back to the raw value
currentHost = realHost;
}

Copilot uses AI. Check for mistakes.
// Compare hosts (case-insensitive)
return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;
Expand Down
33 changes: 33 additions & 0 deletions test-harness/tests/specs/unit/SecurityTest.cfc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,39 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
expect( result ).toBeTrue();
} );

it( "allows URLs with non-default ports when host matches", () => {
// Simulate getRealHost returning host with port (e.g., during dev)
mockSecurityService.$( "getRealHost", "127.0.0.1:61910" );

var result = security.isSafeRedirectUrl(
targetUrl = "http://127.0.0.1:61910/account",
event = mockEvent
);
expect( result ).toBeTrue();
} );
Comment on lines +345 to +354
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test coverage is missing for IPv6 addresses with ports (e.g., http://[::1]:8080/path or http://[2001:db8::1]:9000/account). IPv6 addresses contain multiple colons, which could break the current listFirst(..., ':') implementation. Add test cases for IPv6 addresses with and without ports to ensure the fix works correctly for all address types.

Copilot uses AI. Check for mistakes.

it( "allows URLs with different ports when host matches", () => {
// getRealHost returns host with port
mockSecurityService.$( "getRealHost", "mysite.com:8080" );

// URL has a different port, but same host
var result = security.isSafeRedirectUrl(
targetUrl = "https://mysite.com:9000/account",
event = mockEvent
);
expect( result ).toBeTrue();
} );

it( "blocks URLs with different hosts even with same port", () => {
mockSecurityService.$( "getRealHost", "mysite.com:8080" );

var result = security.isSafeRedirectUrl(
targetUrl = "https://malicious.com:8080/phishing",
event = mockEvent
);
expect( result ).toBeFalse();
} );

it( "handles invalid URLs gracefully", () => {
var result = security.isSafeRedirectUrl( targetUrl = "not a valid url://", event = mockEvent );
expect( result ).toBeFalse();
Expand Down
Loading