Problem
The OAuth login flow in do_login() (lines 400-448) follows a redirect chain by extracting URLs from HTML content via regex:
redirect_match = re.search(r'location\.href\s*=\s*["\']([^"\']+)["\']', result_html)
# ...
next_url = redirect_match.group(1)
req = urllib.request.Request(next_url, headers=headers_base) # follows ANY URL
The redirect targets are never validated against an allowlist of expected domains. If an attacker can inject content into the OAuth response (e.g., via MITM on a compromised network), they could redirect the client to an attacker-controlled URL, potentially exfiltrating the session cookies that are sent along.
Proposed Fix
Add a domain allowlist before following any redirect:
ALLOWED_REDIRECT_DOMAINS = {
"cookidoo.de",
"www.cookidoo.de",
"eu.login.vorwerk.com",
"ciam.prod.cookidoo.vorwerk-digital.com",
}
def is_safe_redirect(url: str) -> bool:
parsed = urllib.parse.urlparse(url)
return parsed.hostname in ALLOWED_REDIRECT_DOMAINS and parsed.scheme == "https"Then in the redirect loop (line ~426):
if redirect_match:
next_url = redirect_match.group(1)
if not is_safe_redirect(next_url):
return False, f"Unsicherer Redirect blockiert: {next_url}"Severity
- Security: MEDIUM (requires MITM position, but low effort to fix)
- Effort: Small (5-10 lines of code)
Problem
The OAuth login flow in
do_login()(lines 400-448) follows a redirect chain by extracting URLs from HTML content via regex:The redirect targets are never validated against an allowlist of expected domains. If an attacker can inject content into the OAuth response (e.g., via MITM on a compromised network), they could redirect the client to an attacker-controlled URL, potentially exfiltrating the session cookies that are sent along.
Proposed Fix
Add a domain allowlist before following any redirect:
Then in the redirect loop (line ~426):
Severity