copilot security fixes

admin.go

@@ -38,6 +38,8 @@ func adminLoginHandler(w http.ResponseWriter, r *http.Request) {
 				Value:    base64.StdEncoding.EncodeToString([]byte(username + ":" + hashPassword(password))),
 				Path:     "/admin/",
 				HttpOnly: true,
+				SameSite: http.SameSiteStrictMode,
+				Secure:   true,
 			})
 			http.Redirect(w, r, "/admin/", http.StatusSeeOther)
 		}
@@ -61,8 +63,8 @@ func isAdmin(r *http.Request) bool {
 		return false
 	}
 	var username, passwordHash string
-	regexp := regexp.MustCompile(`^([^:]+):([a-f0-9]+)$`)
+	regex := regexp.MustCompile(`^([^:]+):([a-f0-9]+)$`)
-	matches := regexp.FindStringSubmatch(string(decoded))
+	matches := regex.FindStringSubmatch(string(decoded))
 	if len(matches) != 3 {
 		return false
 	}

klice.go

@@ -54,6 +54,7 @@ func loginHandler(w http.ResponseWriter, r *http.Request) {
 				Path:     "/",
 				HttpOnly: true,
 				SameSite: http.SameSiteStrictMode,
+				Secure:   true,
 			}
 			http.SetCookie(w, cookie)
 
@@ -61,7 +62,7 @@ func loginHandler(w http.ResponseWriter, r *http.Request) {
 			if err == nil {
 				redir.MaxAge = -1
 				http.SetCookie(w, redir)
-				http.Redirect(w, r, redir.Value, http.StatusSeeOther)
+				http.Redirect(w, r, safeRedirectURL(redir.Value), http.StatusSeeOther)
 			} else {
 				http.Redirect(w, r, "/team", http.StatusSeeOther)
 			}
@@ -110,6 +111,7 @@ func isLoggedIn(w http.ResponseWriter, r *http.Request) (bool, int) {
 			Path:     "/",
 			HttpOnly: true,
 			SameSite: http.SameSiteStrictMode,
+			Secure:   true,
 		}
 		http.SetCookie(w, redir)
 		http.Redirect(w, r, "/login", http.StatusSeeOther)
@@ -330,6 +332,13 @@ func qrHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func safeRedirectURL(u string) string {
+	if strings.HasPrefix(u, "/") && !strings.HasPrefix(u, "//") {
+		return u
+	}
+	return "/team"
+}
+
 func main() {
 	var err error
 	db, err = sql.Open("sqlite3", dbFile+"?_fk=on")