Skip to content

fix: harden agent authorize redirect URI matching against prefix-confusable hosts#2846

Merged
chubes4 merged 2 commits into
mainfrom
fix-agent-authorize-redirect
Jul 3, 2026
Merged

fix: harden agent authorize redirect URI matching against prefix-confusable hosts#2846
chubes4 merged 2 commits into
mainfrom
fix-agent-authorize-redirect

Conversation

@chubes4

@chubes4 chubes4 commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

  • Harden agent authorize wildcard redirect URI matching by parsing pattern and candidate URLs before comparison.
  • Require exact scheme, case-insensitive exact host, normalized port equality, and path-prefix matching with segment boundaries.
  • Sanitize validated external callback redirects with wp_sanitize_redirect() and use wp_safe_redirect() for the local WordPress login redirect.

Vulnerability

The previous wildcard branch treated https://example.com/* as a raw string prefix. That allowed prefix-confusable callback hosts such as https://example.com.evil/steal or https://example.community/x to pass validation and receive authorization errors, codes, or tokens through Location headers.

Fix

Wildcard patterns now compare URL components instead of raw string prefixes. https://example.com/* only matches the same scheme, host, and normalized port, then allows any path on that host. Scoped wildcard paths such as https://example.com/cb/* match /cb and /cb/..., but not /cbx.

Test coverage

Added tests/agent-authorize-redirect-uri-smoke.php, covering host confusion, scheme downgrade, port changes, root/nested accepted paths, default-port normalization, and the /cb/* path-boundary case. Under the previous raw-prefix logic, the host-confusion cases would have returned true because the candidate URL string started with https://example.com.

Verification

  • php -l inc/Core/Auth/AgentAuthorize.php
  • php -l tests/agent-authorize-redirect-uri-smoke.php
  • php tests/agent-authorize-redirect-uri-smoke.php
  • composer run lint -- inc/Core/Auth/AgentAuthorize.php tests/agent-authorize-redirect-uri-smoke.php
  • composer run lint
  • git diff --check

composer test was attempted, but the Homeboy lab runner failed before executing repository tests because the runner cannot auto-sync stale wordpress extension parity from the controller-local source (runner_extension.controller_local_source_unresolvable).

AI assistance

  • AI assistance: Yes
  • Tool(s): opencode — Claude Fable 5 (Anthropic) orchestrator, GPT 5.5 (OpenAI) implementation subagent
  • Used for: Implemented the redirect URI matching hardening, regression smoke test, verification, commit, push, and PR drafting.

@homeboy-ci

homeboy-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Homeboy Results — data-machine

Lint

lint — passed

ℹ️ Full options: homeboy docs commands/lint
Deep dive: homeboy lint data-machine --changed-since bea094f

Artifacts and drill-down
  • CI results artifact: homeboy-ci-results-data-machine-lint-quality-Linux-node24 contains immediate command JSON for this action invocation.
  • Observation artifact: homeboy-observations-data-machine-lint-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
  • Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
  • Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/28680452827

Test

test — failed

ℹ️ No tests ran — the runner failed before producing results. See raw_output.stderr_tail / raw_output.stdout_tail for the underlying error (bootstrap failure, missing deps, DB connection, etc.).
ℹ️ To run specific tests: homeboy test data-machine -- --filter=TestName
ℹ️ Auto-fix lint issues: homeboy refactor data-machine --from lint --write
ℹ️ Collect coverage: homeboy test data-machine --coverage
ℹ️ Analyze failures: homeboy test data-machine --analyze
ℹ️ Pass args to test runner: homeboy test -- [args]
ℹ️ Full options: homeboy docs commands/test
Deep dive: homeboy test data-machine --changed-since bea094f

Artifacts and drill-down
  • CI results artifact: homeboy-ci-results-data-machine-test-quality-Linux-node24 contains immediate command JSON for this action invocation.
  • Observation artifact: homeboy-observations-data-machine-test-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
  • Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
  • Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/28680452827

Audit

audit — passed

  • audit — 36 finding(s)
  • Total: 36 finding(s)

Deep dive: homeboy audit data-machine --changed-since bea094f

Artifacts and drill-down
  • CI results artifact: homeboy-ci-results-data-machine-audit-quality-Linux-node24 contains immediate command JSON for this action invocation.
  • Observation artifact: homeboy-observations-data-machine-audit-quality-Linux-node24 contains exported Homeboy run history for deeper queries.
  • Drill-down: download the observation artifact, then run homeboy runs import <dir>, homeboy runs list, and homeboy runs findings <run-id>.
  • Artifacts are attached to the workflow run: https://github.com/Extra-Chill/data-machine/actions/runs/28680452827
Tooling versions
  • Homeboy CLI: homeboy 0.280.13+89fee93c89fb+2025825e
  • Extension: wordpress from https://github.com/Extra-Chill/homeboy-extensions
  • Extension revision: ec4685ca
  • Action: unknown@unknown

@chubes4 chubes4 merged commit 28dd1a0 into main Jul 3, 2026
4 of 5 checks passed
@chubes4 chubes4 deleted the fix-agent-authorize-redirect branch July 3, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant