fix(gui): mitigate CVE-2026-48710 (BadHost) auth bypass vector

melifaro · claude · melifaro · commit d48fb31e1cb0 · 2026-05-27T15:36:37.000+02:00
Use `request.scope["path"]` instead of `request.url.path` in
`require_gui_user()` to prevent Host header forgery from manipulating
the login redirect `returnTo` parameter. Bump starlette &gt;= 1.0.1.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/mise.lock b/mise.lock
@@ -125,6 +125,7 @@ url_api = "https://api.github.com/repos/minamijoyo/hcledit/releases/assets/22835
 checksum = "sha256:dc7de4514c6b63e9e601c640a68cab73949b9061b3c181f1e38f3e105f6fcbfb"
 url = "https://github.com/minamijoyo/hcledit/releases/download/v0.2.17/hcledit_0.2.17_darwin_arm64.tar.gz"
 url_api = "https://api.github.com/repos/minamijoyo/hcledit/releases/assets/228357402"
+github_attestations = "unavailable"
 
 [tools."github:minamijoyo/hcledit"."platforms.macos-x64"]
 checksum = "sha256:63e122b039af7a1641c41e47f6ad40afaa1a400330c6c54086d7fde9a090bd57"
diff --git a/pyproject.toml b/pyproject.toml
@@ -66,7 +66,7 @@ dependencies = [
     "nicegui>=3,<4",
     "truststore>=0.9,<1",
     "typer>=0.14,<1",
-    "starlette>=1.0.0",
+    "starlette>=1.0.1",
 ]
 
 [dependency-groups]
diff --git a/src/aignostics_foundry_core/gui/auth.py b/src/aignostics_foundry_core/gui/auth.py
@@ -205,7 +205,7 @@ async def require_gui_user(request: Request, return_to: str | None = None) -> di
 
     user = await get_gui_user(request)
     if not user:
-        redirect_path = return_to or request.url.path
+        redirect_path = return_to or request.scope["path"]
         login_url = f"/auth/login?returnTo={redirect_path}"
         ui.navigate.to(login_url)
         return None
diff --git a/tests/aignostics_foundry_core/gui/gui_test.py b/tests/aignostics_foundry_core/gui/gui_test.py
@@ -523,7 +523,7 @@ async def test_redirects_to_login_when_no_user(self) -> None:
         from aignostics_foundry_core.gui.auth import require_gui_user
 
         request = MagicMock()
-        request.url.path = "/protected"
+        request.scope = {"path": "/protected"}
         request.app.state = MagicMock(spec=[])  # no auth_client → get_gui_user returns None
 
         navigate_mock = MagicMock()
@@ -557,7 +557,7 @@ async def test_uses_return_to_override(self) -> None:
         from aignostics_foundry_core.gui.auth import require_gui_user
 
         request = MagicMock()
-        request.url.path = "/original"
+        request.scope = {"path": "/original"}
         request.app.state = MagicMock(spec=[])  # no auth_client → get_gui_user returns None
 
         navigate_mock = MagicMock()
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ dependencies = [`
`66`	`66`	`"nicegui>=3,<4",`
`67`	`67`	`"truststore>=0.9,<1",`
`68`	`68`	`"typer>=0.14,<1",`
`69`		`- "starlette>=1.0.0",`
	`69`	`+ "starlette>=1.0.1",`
`70`	`70`	`]`
`71`	`71`
`72`	`72`	`[dependency-groups]`