public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request from GHSA-4mf2-f3wh-gvf2

This commit is contained in:
Nick Meves 2021-02-01 10:04:33 -08:00 committed by GitHub
parent 48b1658e5d
commit 780ae4f3c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
oauthproxy.go
View File

@ -437,21 +437,23 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
} }
redirectHostname := redirectURL.Hostname() redirectHostname := redirectURL.Hostname()
for _, domain := range p.whitelistDomains { for _, allowedDomain := range p.whitelistDomains {
domainHostname, domainPort := splitHostPort(strings.TrimLeft(domain, ".")) allowedHost, allowedPort := splitHostPort(allowedDomain)
if domainHostname == "" { if allowedHost == "" {
continue continue
} }
if (redirectHostname == domainHostname) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) { if redirectHostname == strings.TrimPrefix(allowedHost, ".") ||
(strings.HasPrefix(allowedHost, ".") &&
strings.HasSuffix(redirectHostname, allowedHost)) {
// the domain names match, now validate the ports // the domain names match, now validate the ports
// if the whitelisted domain's port is '*', allow all ports // if the whitelisted domain's port is '*', allow all ports
// if the whitelisted domain contains a specific port, only allow that port // if the whitelisted domain contains a specific port, only allow that port
// if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https // if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https
redirectPort := redirectURL.Port() redirectPort := redirectURL.Port()
if (domainPort == "*") || if allowedPort == "*" ||
(domainPort == redirectPort) || allowedPort == redirectPort ||
(domainPort == "" && redirectPort == "") { (allowedPort == "" && redirectPort == "") {
return true return true
} }
} }

5
oauthproxy_test.go
View File

@ -298,6 +298,11 @@ func TestIsValidRedirect(t *testing.T) {
Redirect: "/\t/\t\\evil.com", Redirect: "/\t/\t\\evil.com",
ExpectedResult: false, ExpectedResult: false,
}, },
{
Desc: "openRedirectPartialSubdomain",
Redirect: "http://evilbar.foo",
ExpectedResult: false,
},
} }
for _, tc := range testCases { for _, tc := range testCases {