github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-27 01:16:55 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

fix(origin-check): prevent URLs with double slashes from being trusted

Browse Source
This commit is contained in:
Bereket Engida
2025-02-24 12:25:04 +03:00
parent d9c57e1f56
commit 24659aefc3
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/better-auth/src/api/middlewares/origin-check.ts
View File

@@ -47,7 +47,10 @@ export const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
const isTrustedOrigin = trustedOrigins.some(
(origin) =>
matchesPattern(url, origin) ||
(url?.startsWith("/") && label !== "origin" && !url.includes(":")),
(url?.startsWith("/") &&
label !== "origin" &&
!url.includes(":") &&
!url.includes("//")),
);
if (!isTrustedOrigin) {
ctx.context.logger.error(`Invalid ${label}: ${url}`);