routes: fix open redirect vulnerability (#5355)

Reported by @cezar97.

2 files changed, 44 insertions, 0 deletions

diff --git a/pkg/tool/path.go b/pkg/tool/path.go
new file mode 100644
index 00000000..e478abc5
--- /dev/null
+++ b/pkg/tool/path.go
@@ -0,0 +1,12 @@
+// Copyright 2018 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package tool
+
+// IsSameSiteURLPath returns true if the URL path belongs to the same site, false otherwise.
+// False: //url, http://url, /\url
+// True: /url
+func IsSameSiteURLPath(url string) bool {
+	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
+}
diff --git a/pkg/tool/path_test.go b/pkg/tool/path_test.go
new file mode 100644
index 00000000..530238ce
--- /dev/null
+++ b/pkg/tool/path_test.go
@@ -0,0 +1,32 @@
+// Copyright 2018 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package tool
+
+import (
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_IsSameSiteURLPath(t *testing.T) {
+	Convey("Check if a path belongs to the same site", t, func() {
+		testCases := []struct {
+			url    string
+			expect bool
+		}{
+			{"//github.com", false},
+			{"http://github.com", false},
+			{"https://github.com", false},
+			{"/\\github.com", false},
+
+			{"/admin", true},
+			{"/user/repo", true},
+		}
+
+		for _, tc := range testCases {
+			So(IsSameSiteURLPath(tc.url), ShouldEqual, tc.expect)
+		}
+	})
+}