fix: filter empty strings from allowed groups (#3365)

* fix: filter empty strings from allowed groups When parsing allowed groups from configuration (e.g., via environment variable OAUTH2_PROXY_ALLOWED_GROUPS), viper may include empty strings in the parsed slice when trailing commas are present (e.g., "group2," becomes ["group2", ""]). The setAllowedGroups function now filters out empty strings before adding them to the AllowedGroups map, ensuring that only valid group names are checked during authorization. Fixes #3123 Signed-off-by: Br1an67 <932039080@qq.com> * refactor: minor change Signed-off-by: Jan Larwig <jan@larwig.com> * doc: add changelog entry for 3365 Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Br1an67 <932039080@qq.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
2026-03-18 22:44:11 +08:00 · 2026-03-18 22:44:11 +08:00 · 779cc5f350
parent ff357daa04
commit 779cc5f350
3 changed files with 17 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,7 @@
 - [#3278](https://github.com/oauth2-proxy/oauth2-proxy/pull/3278) feat: possibility to inject id_token in redirect url during sign out (@albanf)
 - [#2851](https://github.com/oauth2-proxy/oauth2-proxy/pull/2851) feat: add support for specifying allowed OIDC JWT signing algorithms (#2753) (@andoks / @tuunit)
 - [#3369](https://github.com/oauth2-proxy/oauth2-proxy/pull/3369) fix: use CSRFExpire instead of Expire for CSRF cookie validation (@Br1an67)
+- [#3365](https://github.com/oauth2-proxy/oauth2-proxy/pull/3365) fix: filter empty strings from allowed groups (@Br1an67)

 # V7.14.3

--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@ -194,6 +194,10 @@ func regexpForRule(rule options.URLParameterRule) string {
 func (p *ProviderData) setAllowedGroups(groups []string) {
 	p.AllowedGroups = make(map[string]struct{}, len(groups))
 	for _, group := range groups {
+		if len(group) == 0 {
+			continue
+		}
+
 		p.AllowedGroups[group] = struct{}{}
 	}
 }
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@ -102,6 +102,18 @@ func TestProviderDataAuthorize(t *testing.T) {
 			groups:        []string{"baz", "foo"},
 			expectedAuthZ: false,
 		},
+		{
+			name:          "AllowedGroupsWithEmptyString",
+			allowedGroups: []string{"group2", ""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
+		{
+			name:          "AllowedGroupsOnlyEmptyString",
+			allowedGroups: []string{""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
 	}

 	for _, tc := range testCases {