From 43596a7bab2053e091ddc513c865e20b4e4b08ea Mon Sep 17 00:00:00 2001
From: Jan Larwig <jan@larwig.com>
Date: Mon, 13 Apr 2026 18:20:36 +0200
Subject: [PATCH] Merge commit from fork

Signed-off-by: Jan Larwig <jan@larwig.com>
---
 CHANGELOG.md                       |  1 +
 pkg/middleware/healthcheck.go      | 11 +++++---
 pkg/middleware/healthcheck_test.go | 40 +++++++++++++++++++++++-------
 3 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2dccaaf1..3e1dc347 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@
 - [#3411](https://github.com/oauth2-proxy/oauth2-proxy/pull/3411) chore(deps): update gomod dependencies (@tuunit)
 - [#3333](https://github.com/oauth2-proxy/oauth2-proxy/pull/3333) fix: invalidate session on fatal OAuth2 refresh errors (@frhack)
 - [GHSA-f24x-5g9q-753f](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f) fix: clear session cookie at beginning of signinpage handler (@fnoehWM / @bella-WI / @tuunit)
+- [GHSA-5hvv-m4w4-gf6v](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v) fix: health check user-agent authentication bypass (@tuunit)
 
 # V7.15.1
 
diff --git a/pkg/middleware/healthcheck.go b/pkg/middleware/healthcheck.go
index 2dcfc1d4..de3b63d2 100644
--- a/pkg/middleware/healthcheck.go
+++ b/pkg/middleware/healthcheck.go
@@ -43,10 +43,13 @@ func healthCheck(paths, userAgents []string, next http.Handler) http.Handler {
 
 func isHealthCheckRequest(paths, userAgents map[string]struct{}, req *http.Request) bool {
 	if _, ok := paths[req.URL.EscapedPath()]; ok {
-		return true
-	}
-	if _, ok := userAgents[req.Header.Get("User-Agent")]; ok {
-		return true
+		if len(userAgents) == 0 {
+			return true
+		}
+
+		if _, ok := userAgents[req.Header.Get("User-Agent")]; ok {
+			return true
+		}
 	}
 	return false
 }
diff --git a/pkg/middleware/healthcheck_test.go b/pkg/middleware/healthcheck_test.go
index 78e1e6d4..68a8d3ec 100644
--- a/pkg/middleware/healthcheck_test.go
+++ b/pkg/middleware/healthcheck_test.go
@@ -45,6 +45,16 @@ var _ = Describe("HealthCheck suite", func() {
 			healthCheckPaths:      []string{"/ping"},
 			healthCheckUserAgents: []string{"hc/1.0"},
 			requestString:         "http://example.com/ping",
+			headers: map[string]string{
+				"User-Agent": "hc/1.0",
+			},
+			expectedStatus: 200,
+			expectedBody:   "OK",
+		}),
+		Entry("when requesting the healthcheck path with no health check user agents configured", &requestTableInput{
+			healthCheckPaths:      []string{"/ping"},
+			healthCheckUserAgents: []string{},
+			requestString:         "http://example.com/ping",
 			headers:               map[string]string{},
 			expectedStatus:        200,
 			expectedBody:          "OK",
@@ -85,15 +95,25 @@ var _ = Describe("HealthCheck suite", func() {
 			expectedStatus: 404,
 			expectedBody:   "404 page not found\n",
 		}),
-		Entry("with a request from the health check user agent", &requestTableInput{
+		Entry("with a request from the health check user agent on a non-healthcheck path", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},
 			healthCheckUserAgents: []string{"hc/1.0"},
 			requestString:         "http://example.com/abc",
 			headers: map[string]string{
 				"User-Agent": "hc/1.0",
 			},
-			expectedStatus: 200,
-			expectedBody:   "OK",
+			expectedStatus: 404,
+			expectedBody:   "404 page not found\n",
+		}),
+		Entry("when an auth_request endpoint receives the configured health check user agent", &requestTableInput{
+			healthCheckPaths:      []string{"/ping"},
+			healthCheckUserAgents: []string{"GoogleHC/1.0"},
+			requestString:         "http://example.com/oauth2/auth",
+			headers: map[string]string{
+				"User-Agent": "GoogleHC/1.0",
+			},
+			expectedStatus: 404,
+			expectedBody:   "404 page not found\n",
 		}),
 		Entry("when a blank string is configured as a health check agent and a request has no user agent", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},
@@ -107,9 +127,11 @@ var _ = Describe("HealthCheck suite", func() {
 			healthCheckPaths:      []string{"/ping", "/liveness_check", "/readiness_check"},
 			healthCheckUserAgents: []string{"hc/1.0"},
 			requestString:         "http://example.com/readiness_check",
-			headers:               map[string]string{},
-			expectedStatus:        200,
-			expectedBody:          "OK",
+			headers: map[string]string{
+				"User-Agent": "hc/1.0",
+			},
+			expectedStatus: 200,
+			expectedBody:   "OK",
 		}),
 		Entry("with multiple paths, request none of the healthcheck paths", &requestTableInput{
 			healthCheckPaths:      []string{"/ping", "/liveness_check", "/readiness_check"},
@@ -121,15 +143,15 @@ var _ = Describe("HealthCheck suite", func() {
 			expectedStatus: 404,
 			expectedBody:   "404 page not found\n",
 		}),
-		Entry("with multiple user agents, request from a health check user agent", &requestTableInput{
+		Entry("with multiple user agents, request from a health check user agent on a non-healthcheck path", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},
 			healthCheckUserAgents: []string{"hc/1.0", "GoogleHC/1.0"},
 			requestString:         "http://example.com/abc",
 			headers: map[string]string{
 				"User-Agent": "GoogleHC/1.0",
 			},
-			expectedStatus: 200,
-			expectedBody:   "OK",
+			expectedStatus: 404,
+			expectedBody:   "404 page not found\n",
 		}),
 		Entry("with multiple user agents, request from none of the health check user agents", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},