Merge pull request #4204 from aviu16/fix/csrf-referer-origin-matching

ReneWerner87 · web-flow · commit 6c19f4878988 · 2026-04-11T19:59:09.000+02:00
diff --git a/middleware/csrf/csrf.go b/middleware/csrf/csrf.go
@@ -387,14 +387,14 @@ func refererMatchesHost(c fiber.Ctx, trustedOrigins []string, trustedSubOrigins
 		return nil
 	}
 
-	referer = refererURL.String()
+	refererOrigin := refererURL.Scheme + "://" + refererURL.Host
 
-	if slices.Contains(trustedOrigins, referer) {
+	if slices.Contains(trustedOrigins, refererOrigin) {
 		return nil
 	}
 
 	for _, trustedSubOrigin := range trustedSubOrigins {
-		if trustedSubOrigin.match(referer) {
+		if trustedSubOrigin.match(refererOrigin) {
 			return nil
 		}
 	}
diff --git a/middleware/csrf/csrf_test.go b/middleware/csrf/csrf_test.go
@@ -1336,6 +1336,38 @@ func Test_CSRF_TrustedOrigins(t *testing.T) {
 	ctx.Request.Header.SetCookie(ConfigDefault.CookieName, token)
 	h(ctx)
 	require.Equal(t, 403, ctx.Response.StatusCode())
+
+	// Test Trusted Referer with path — referer URL includes a path component
+	// which must not prevent matching against the trusted origin
+	ctx.Request.Reset()
+	ctx.Response.Reset()
+	ctx.Request.Header.SetMethod(fiber.MethodPost)
+	ctx.Request.Header.Set(fiber.HeaderXForwardedProto, "https")
+	ctx.Request.URI().SetScheme("https")
+	ctx.Request.URI().SetHost("example.com")
+	ctx.Request.Header.SetProtocol("https")
+	ctx.Request.Header.SetHost("example.com")
+	ctx.Request.Header.Set(fiber.HeaderReferer, "https://safe.example.com/some/path?q=1")
+	ctx.Request.Header.Set(HeaderName, token)
+	ctx.Request.Header.SetCookie(ConfigDefault.CookieName, token)
+	h(ctx)
+	require.Equal(t, 200, ctx.Response.StatusCode())
+
+	// Test Trusted Referer Wildcard with path — wildcard subdomain referer
+	// that includes a path must still match the trusted sub-origin
+	ctx.Request.Reset()
+	ctx.Response.Reset()
+	ctx.Request.Header.SetMethod(fiber.MethodPost)
+	ctx.Request.Header.Set(fiber.HeaderXForwardedProto, "https")
+	ctx.Request.URI().SetScheme("https")
+	ctx.Request.URI().SetHost("domain-1.com")
+	ctx.Request.Header.SetProtocol("https")
+	ctx.Request.Header.SetHost("domain-1.com")
+	ctx.Request.Header.Set(fiber.HeaderReferer, "https://safe.domain-1.com/api/callback?code=abc")
+	ctx.Request.Header.Set(HeaderName, token)
+	ctx.Request.Header.SetCookie(ConfigDefault.CookieName, token)
+	h(ctx)
+	require.Equal(t, 200, ctx.Response.StatusCode())
 }
 
 func Test_CSRF_TrustedOrigins_InvalidOrigins(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -387,14 +387,14 @@ func refererMatchesHost(c fiber.Ctx, trustedOrigins []string, trustedSubOrigins`
`387`	`387`	`return nil`
`388`	`388`	`}`
`389`	`389`
`390`		`- referer = refererURL.String()`
	`390`	`+ refererOrigin := refererURL.Scheme + "://" + refererURL.Host`
`391`	`391`
`392`		`- if slices.Contains(trustedOrigins, referer) {`
	`392`	`+ if slices.Contains(trustedOrigins, refererOrigin) {`
`393`	`393`	`return nil`
`394`	`394`	`}`
`395`	`395`
`396`	`396`	`for _, trustedSubOrigin := range trustedSubOrigins {`
`397`		`- if trustedSubOrigin.match(referer) {`
	`397`	`+ if trustedSubOrigin.match(refererOrigin) {`
`398`	`398`	`return nil`
`399`	`399`	`}`
`400`	`400`	`}`