redirect to root during oauth#callback if attempted phishing attack #1605
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nelsonwittwer
force-pushed
the
nelsonwittwer/oauth_security
branch
from
7680031 to
a19ac26
Compare
nelsonwittwer
changed the title
|
I can't install my app when its pointing to this branch. Looks like something is wrong with the url.
|
klenotiw
reviewed
Dec 8, 2022
klenotiw
reviewed
Dec 8, 2022
nelsonwittwer
force-pushed
the
nelsonwittwer/oauth_security
branch
2 times, most recently
from
9d0bf97 to
616993f
Compare
nelsonwittwer
force-pushed
the
nelsonwittwer/oauth_security
branch
from
616993f to
685f377
Compare
klenotiw
reviewed
Dec 8, 2022
Co-authored-by: Bill Klenotiz <54754550+klenotiw@users.noreply.github.com>
klenotiw
approved these changes
Dec 8, 2022
6 tasks
fabriazza
pushed a commit
to fabriazza/shopify_app
that referenced
this pull request
Feb 1, 2023
…hopify#1605) * render 404 if attempted phishing attack * changelog * rubocop style fixes * root address instead of 404 * redirect to param[:host] after sanitization * Update app/controllers/shopify_app/callback_controller.rb Co-authored-by: Bill Klenotiz <54754550+klenotiw@users.noreply.github.com> Co-authored-by: Bill Klenotiz <54754550+klenotiw@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does
Patches a phishing vulnerability with the OAuth callback flow.
Reviewer's guide to testing
Should still be able to install app and be redirected to app after install.
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.mdif the changes would impact usersREADME.md, if appropriate./docs, if necessary