Skip to content

Fix open redirect vulnerability and implement missing security features #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Fix open redirect vulnerability and implement missing security features #1

Copilot wants to merge 4 commits into from

Conversation

Copy link

Copilot AI commented Nov 30, 2025
edited
Loading

Security audit identified an open redirect vulnerability in the login flow and several missing safety features for destructive operations.

Security Fixes

  • Open redirect in login.vue: The url query parameter was used for post-login redirect without validation. Attackers could craft URLs like /auth/login?url=//evil.com to redirect users to malicious sites.
// Before: Unvalidated redirect
const redirectUrl = route.query.url || '/';

// After: Validated redirect with injection protection
const getValidRedirectUrl = (url: unknown): string => {
    if (typeof url !== 'string' || !url) return '/';
    const sanitized = url.replace(/[\r\n\t]/g, '');
    if (sanitized.startsWith('/') && !sanitized.startsWith('//')) return sanitized;
    return '/';
};
  • Account deletion: Added confirmation modal to security.vue with proper session cleanup
  • Domain deletion: Implemented empty danger-zone.vue with type-to-confirm pattern

Bug Fixes

  • error.vue: Fixed hardcoded 404 to display actual error from props

Cleanup

  • Removed unused FormError import in forgot-password.vue
  • Removed unused fileRef variable in settings/index.vue

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.fontshare.com
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/APP/APP/node_modules/.bin/nuxt build (dns block)
  • api.fontsource.org
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/APP/APP/node_modules/.bin/nuxt build (dns block)
  • fonts.bunny.net
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/APP/APP/node_modules/.bin/nuxt build (dns block)
  • fonts.google.com
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/APP/APP/node_modules/.bin/nuxt build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

scan the whole repository and app for bad code, bad security, Bugs...
and resolve them. when you are done create a pull request with your changes

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits November 30, 2025 11:44
@LeiCraft
Initial analysis of NowIP APP repository
648c005 
Co-authored-by: LeiCraft <88381277+LeiCraft@users.noreply.github.com>
@LeiCraft
Fix security vulnerabilities and bugs
1907808 
- Fix Open Redirect vulnerability in login.vue by validating redirect URLs
- Fix error.vue to properly display actual error instead of hardcoded 404
- Remove unused import (FormError) in forgot-password.vue
- Remove unused variable (fileRef) in settings/index.vue
- Implement delete account functionality with confirmation modal
- Implement danger-zone page for domain deletion with confirmation

Co-authored-by: LeiCraft <88381277+LeiCraft@users.noreply.github.com>
@LeiCraft
Add header injection protection to redirect URL validation
f0ae1e6 
Co-authored-by: LeiCraft <88381277+LeiCraft@users.noreply.github.com>
Copilot AI changed the title [WIP] Scan repository for issues and resolve bugs Fix open redirect vulnerability and implement missing security features Nov 30, 2025
Copilot AI requested a review from LeiCraft November 30, 2025 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LeiCraft LeiCraft Awaiting requested review from LeiCraft

Assignees

@LeiCraft LeiCraft

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LeiCraft