Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint

Summary

The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the checkCSRF() guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (?mkdir, ?delete). The same dispatcher also lacks an fs.Invisible branch, so the endpoint stays responsive in -I stealth mode and reliably fingerprints an "invisible" goshs deployment with a single request.

Details

httpserver/handler.go:222-228 — the dispatcher gates ?redirect only with denyForTokenAccess (which only blocks share-token callers). It does not check fs.Invisible and does not call checkCSRF:

if _, ok := req.URL.Query()["redirect"]; ok {
    if denyForTokenAccess(w, req) {
        return true
    }
    fs.handleRedirect(w, req)
    return true
}

httpserver/handler.go:753-787 — handleRedirect:

func (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {
    q := req.URL.Query()

    target := q.Get("url")                                   // (1) no scheme/host validation
    if target == "" { /* 400 */ }

    status := http.StatusFound
    if s := q.Get("status"); s != "" {                        // (2) only constrained to 3xx
        code, err := strconv.Atoi(s)
        if err != nil || code < 300 || code > 399 { /* 400 */ }
        status = code
    }

    for _, h := range q["header"] {                          // (3) arbitrary header set
        parts := strings.SplitN(h, ": ", 2)
        if len(parts) != 2 || strings.TrimSpace(parts[0]) == "" { /* 400 */ }
        w.Header().Set(strings.TrimSpace(parts[0]), parts[1])
    }

    http.Redirect(w, req, target, status)                    // (4) attacker Location

    body := fs.emitCollabEvent(req, status)
    logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)
}

httpserver/server.go:85-100 — BasicAuthMiddleware is registered only when fs.User != "" || fs.Pass != ""; the default goshs invocation has neither, so ?redirect is open to anyone on the network.Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

poc.zip
Please extract the uploaded compressed file before proceeding

1. docker build -t goshs-poc .
2. sh poc.sh

Impact

• Cross-subdomain session fixation — Set-Cookie: …; Domain=.corp.com lands a fixed session on every sibling app on the parent domain.
• TLS downgrade — Strict-Transport-Security: max-age=0 invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.