@sarahsimionescuchecks…claude/compassionate-darwin-a5af8e → main8 files · +111 −40review: @shamsharoonupdated 1d agoFixes a Stored DOM-based XSS + Open Redirect in the Connect / connected-account link flow, reported by Kullai Metikala (forwarded internally by Rohan/Rahul).
A connect link's callbackUrl (and the OAuth redirect_url) was accepted with any URL scheme and later assigned directly to window.location.href. A javascript: / data: value persists server-side and executes in the dashboard.composio.dev origin for every end-user who completes the connection — arbitrary JS on a shared multi-tenant origin (CWE-79), plus an open-redirect variant leaking connected_account_id (CWE-601).
connectedAccounts.createLink zod input used z.string().url() — validates format, not scheme, so javascript:/data: passed through. Same for consumer initiateConnection.StateContent did new URL(callbackUrl) (format check only) → window.location.href. new URL() preserves the javascript: opaque body, so the payload survived to the sink.src/lib/safe-redirect-url.ts: getSafeRedirectUrl() + safeRedirectUrlSchema — http(s)-only scheme allowlist, rejects protocol-relative URLs, length-bounded.createLink and initiateConnection schemas now reject non-http(s) callbackUrl before it is ever stored.window.location.href / openPopup that reads callbackUrl / redirect_url is now guarded — StateContent, FormContent, the enhanced link screen, and the terminal connection result.'unsafe-inline' from script-src and adding a navigate-to CSP directive (§8.3) — CSP/hardening, separate change.callback_url on store/serve so legacy rows can't carry a javascript: value. The client sinks are guarded here regardless.pnpm lint → 0 errors.pnpm typecheck → only two pre-existing errors in connect-announcement-modal.tsx from regenerated OpenAPI spec drift (untouched by this PR).🤖 Generated with Claude Code
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Actions | Updated (UTC) |
|---|---|---|---|
| dashboard |  Ready | Preview, Comment | Jun 11, 2026 10:14pm |