From 779cc5f350951b67169aec9836b3495f4faf80df Mon Sep 17 00:00:00 2001 From: Br1an <932039080@qq.com> Date: Wed, 18 Mar 2026 22:44:11 +0800 Subject: [PATCH] fix: filter empty strings from allowed groups (#3365) * fix: filter empty strings from allowed groups When parsing allowed groups from configuration (e.g., via environment variable OAUTH2_PROXY_ALLOWED_GROUPS), viper may include empty strings in the parsed slice when trailing commas are present (e.g., "group2," becomes ["group2", ""]). The setAllowedGroups function now filters out empty strings before adding them to the AllowedGroups map, ensuring that only valid group names are checked during authorization. Fixes #3123 Signed-off-by: Br1an67 <932039080@qq.com> * refactor: minor change Signed-off-by: Jan Larwig * doc: add changelog entry for 3365 Signed-off-by: Jan Larwig --------- Signed-off-by: Br1an67 <932039080@qq.com> Signed-off-by: Jan Larwig Co-authored-by: Jan Larwig --- CHANGELOG.md | 1 + providers/provider_data.go | 4 ++++ providers/provider_default_test.go | 12 ++++++++++++ 3 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1477c99d..967455db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - [#3278](https://github.com/oauth2-proxy/oauth2-proxy/pull/3278) feat: possibility to inject id_token in redirect url during sign out (@albanf) - [#2851](https://github.com/oauth2-proxy/oauth2-proxy/pull/2851) feat: add support for specifying allowed OIDC JWT signing algorithms (#2753) (@andoks / @tuunit) - [#3369](https://github.com/oauth2-proxy/oauth2-proxy/pull/3369) fix: use CSRFExpire instead of Expire for CSRF cookie validation (@Br1an67) +- [#3365](https://github.com/oauth2-proxy/oauth2-proxy/pull/3365) fix: filter empty strings from allowed groups (@Br1an67) # V7.14.3 diff --git a/providers/provider_data.go b/providers/provider_data.go index 8f9d1e36..80bd77ae 100644 --- a/providers/provider_data.go +++ b/providers/provider_data.go @@ -194,6 +194,10 @@ func regexpForRule(rule options.URLParameterRule) string { func (p *ProviderData) setAllowedGroups(groups []string) { p.AllowedGroups = make(map[string]struct{}, len(groups)) for _, group := range groups { + if len(group) == 0 { + continue + } + p.AllowedGroups[group] = struct{}{} } } diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index 0fbe7abd..9370cdca 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -102,6 +102,18 @@ func TestProviderDataAuthorize(t *testing.T) { groups: []string{"baz", "foo"}, expectedAuthZ: false, }, + { + name: "AllowedGroupsWithEmptyString", + allowedGroups: []string{"group2", ""}, + groups: []string{"group1", "group2"}, + expectedAuthZ: true, + }, + { + name: "AllowedGroupsOnlyEmptyString", + allowedGroups: []string{""}, + groups: []string{"group1", "group2"}, + expectedAuthZ: true, + }, } for _, tc := range testCases {