From 4e84df13a86fc748e4ef7bef6f5014c30a5528b7 Mon Sep 17 00:00:00 2001
From: John Wang <johncwang@gmail.com>
Date: Fri, 30 Jan 2026 05:58:31 -0800
Subject: [PATCH] Potential fix for code scanning alert no. 2: Open URL
 redirect

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 oauth2/handlers.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/oauth2/handlers.go b/oauth2/handlers.go
index 7c7d03d..c179f6a 100644
--- a/oauth2/handlers.go
+++ b/oauth2/handlers.go
@@ -733,12 +733,21 @@ func (s *Server) redirectWithError(w http.ResponseWriter, r *http.Request, redir
 		return
 	}
 
-	u, err := url.Parse(redirectURI)
+	// Normalize backslashes to forward slashes before parsing
+	normalized := strings.ReplaceAll(redirectURI, "\\", "/")
+
+	u, err := url.Parse(normalized)
 	if err != nil {
 		s.renderLoginError(w, description)
 		return
 	}
 
+	// Only allow local redirects (no hostname)
+	if u.Hostname() != "" {
+		s.renderLoginError(w, description)
+		return
+	}
+
 	q := u.Query()
 	q.Set("error", errCode)
 	q.Set("error_description", description)