You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Harden agent authorize wildcard redirect URI matching by parsing pattern and candidate URLs before comparison.
Require exact scheme, case-insensitive exact host, normalized port equality, and path-prefix matching with segment boundaries.
Sanitize validated external callback redirects with wp_sanitize_redirect() and use wp_safe_redirect() for the local WordPress login redirect.
Vulnerability
The previous wildcard branch treated https://example.com/* as a raw string prefix. That allowed prefix-confusable callback hosts such as https://example.com.evil/steal or https://example.community/x to pass validation and receive authorization errors, codes, or tokens through Location headers.
Fix
Wildcard patterns now compare URL components instead of raw string prefixes. https://example.com/* only matches the same scheme, host, and normalized port, then allows any path on that host. Scoped wildcard paths such as https://example.com/cb/* match /cb and /cb/..., but not /cbx.
Test coverage
Added tests/agent-authorize-redirect-uri-smoke.php, covering host confusion, scheme downgrade, port changes, root/nested accepted paths, default-port normalization, and the /cb/* path-boundary case. Under the previous raw-prefix logic, the host-confusion cases would have returned true because the candidate URL string started with https://example.com.
composer run lint -- inc/Core/Auth/AgentAuthorize.php tests/agent-authorize-redirect-uri-smoke.php
composer run lint
git diff --check
composer test was attempted, but the Homeboy lab runner failed before executing repository tests because the runner cannot auto-sync stale wordpress extension parity from the controller-local source (runner_extension.controller_local_source_unresolvable).
ℹ️ No tests ran — the runner failed before producing results. See raw_output.stderr_tail / raw_output.stdout_tail for the underlying error (bootstrap failure, missing deps, DB connection, etc.).
ℹ️ To run specific tests: homeboy test data-machine -- --filter=TestName
ℹ️ Auto-fix lint issues: homeboy refactor data-machine --from lint --write
ℹ️ Collect coverage: homeboy test data-machine --coverage
ℹ️ Analyze failures: homeboy test data-machine --analyze
ℹ️ Pass args to test runner: homeboy test -- [args]
ℹ️ Full options: homeboy docs commands/test
Deep dive: homeboy test data-machine --changed-since bea094f
Artifacts and drill-down
CI results artifact: homeboy-ci-results-data-machine-test-quality-Linux-node24 contains immediate command JSON for this action invocation.
Observation artifact: homeboy-observations-data-machine-test-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wp_sanitize_redirect()and usewp_safe_redirect()for the local WordPress login redirect.Vulnerability
The previous wildcard branch treated
https://example.com/*as a raw string prefix. That allowed prefix-confusable callback hosts such ashttps://example.com.evil/stealorhttps://example.community/xto pass validation and receive authorization errors, codes, or tokens throughLocationheaders.Fix
Wildcard patterns now compare URL components instead of raw string prefixes.
https://example.com/*only matches the same scheme, host, and normalized port, then allows any path on that host. Scoped wildcard paths such ashttps://example.com/cb/*match/cband/cb/..., but not/cbx.Test coverage
Added
tests/agent-authorize-redirect-uri-smoke.php, covering host confusion, scheme downgrade, port changes, root/nested accepted paths, default-port normalization, and the/cb/*path-boundary case. Under the previous raw-prefix logic, the host-confusion cases would have returned true because the candidate URL string started withhttps://example.com.Verification
php -l inc/Core/Auth/AgentAuthorize.phpphp -l tests/agent-authorize-redirect-uri-smoke.phpphp tests/agent-authorize-redirect-uri-smoke.phpcomposer run lint -- inc/Core/Auth/AgentAuthorize.php tests/agent-authorize-redirect-uri-smoke.phpcomposer run lintgit diff --checkcomposer testwas attempted, but the Homeboy lab runner failed before executing repository tests because the runner cannot auto-sync stalewordpressextension parity from the controller-local source (runner_extension.controller_local_source_unresolvable).AI assistance