Fix pattern consistency and comment accuracy based on code review

Copilot · luisgizirian · Copilot · commit e9d5b8d92af2 · 2026-01-10T01:16:06.000Z
Co-authored-by: luisgizirian &lt;598685+luisgizirian@users.noreply.github.com&gt;
diff --git a/internal/defender/defender.go b/internal/defender/defender.go
@@ -157,7 +157,7 @@ func NewDefender(opts DefenderOptions) *Defender {
 		`[?&](redirect|return|url|next|dest|destination|continue|view|target|redir|r|u)=https?://`,  // Open redirect
 		`[?&](redirect|return|url|next|dest|destination|continue|view|target|redir|r|u)=//`,         // Protocol-relative redirect
 		`[?&](redirect|return|url|next|dest|destination|continue|view|target|redir|r|u)=.*%2f%2f`,   // Encoded // in redirect
-		`(returnUrl|redirect|return|url|next|dest|destination|continue|view|target|redir).*%25[23]`,  // Excessive URL-encoded nesting (4+ levels)
+		`[?&](returnUrl|redirect|return|url|next|dest|destination|continue|view|target|redir).*%25[23]`,  // Excessive URL-encoded nesting (4+ levels)
 	}
 
 	for _, pattern := range patterns {
diff --git a/internal/defender/defender_test.go b/internal/defender/defender_test.go
@@ -1042,7 +1042,7 @@ func TestDefender_ExcessiveURLEncodedNesting(t *testing.T) {
 			name:       "Excessive nesting with redirect param",
 			uri:        "/auth?redirect=/page1?redirect%3D/page2?redirect%253D/page3",
 			suspicious: true,
-			reason:     "3+ levels of URL encoding detected",
+			reason:     "4+ levels of URL encoding detected",
 		},
 		{
 			name:       "Simple redirect - no nesting",

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ func NewDefender(opts DefenderOptions) *Defender {`
`157`	`157`	`[?&](redirect\|return\|url\|next\|dest\|destination\|continue\|view\|target\|redir\|r\|u)=https?://`, // Open redirect
`158`	`158`	`[?&](redirect\|return\|url\|next\|dest\|destination\|continue\|view\|target\|redir\|r\|u)=//`, // Protocol-relative redirect
`159`	`159`	`[?&](redirect\|return\|url\|next\|dest\|destination\|continue\|view\|target\|redir\|r\|u)=.*%2f%2f`, // Encoded // in redirect
`160`		- `(returnUrl\|redirect\|return\|url\|next\|dest\|destination\|continue\|view\|target\|redir).*%25[23]`, // Excessive URL-encoded nesting (4+ levels)
	`160`	+ `[?&](returnUrl\|redirect\|return\|url\|next\|dest\|destination\|continue\|view\|target\|redir).*%25[23]`, // Excessive URL-encoded nesting (4+ levels)
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`for _, pattern := range patterns {`
Original file line number	Diff line number	Diff line change
`@@ -1042,7 +1042,7 @@ func TestDefender_ExcessiveURLEncodedNesting(t *testing.T) {`
`1042`	`1042`	`name: "Excessive nesting with redirect param",`
`1043`	`1043`	`uri: "/auth?redirect=/page1?redirect%3D/page2?redirect%253D/page3",`
`1044`	`1044`	`suspicious: true,`
`1045`		`- reason: "3+ levels of URL encoding detected",`
	`1045`	`+ reason: "4+ levels of URL encoding detected",`
`1046`	`1046`	`},`
`1047`	`1047`	`{`
`1048`	`1048`	`name: "Simple redirect - no nesting",`