MCPcopy Index your code
hub / github.com/google/go-github / checkRedirectHost

Method checkRedirectHost

github/github.go:2076–2090  ·  view source on GitHub ↗

checkRedirectHost returns an error if the redirect target is on a different host than the client's configured BaseURL. This prevents credentials attached by the auth transport from being sent to an attacker-controlled host when a compromised or malicious API response returns a cross-origin Location

(location string)

Source from the content-addressed store, hash-verified

2074// compromised or malicious API response returns a cross-origin Location header.
2075// An empty Location is also rejected.
2076func (c *Client) checkRedirectHost(location string) error {
2077 if location == "" {
2078 return errInvalidLocation
2079 }
2080 target, err := url.Parse(location)
2081 if err != nil {
2082 return fmt.Errorf("invalid redirect location %q: %w", location, err)
2083 }
2084 // Resolve relative locations against BaseURL so relative paths are allowed.
2085 target = c.baseURL.ResolveReference(target)
2086 if target.Host != c.baseURL.Host {
2087 return fmt.Errorf("refusing to follow cross-host redirect from %q to %q", c.baseURL.Host, target.Host)
2088 }
2089 return nil
2090}
2091
2092// Ptr is a helper routine that allocates a new T value
2093// to store v and returns a pointer to it.

Calls

no outgoing calls

Tested by

no test coverage detected