public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

implicit/explicit redirect port matching

This commit is contained in:
Kamal Nasser 2019-10-12 23:47:23 +03:00
parent bfb22506ff
commit ae4e9155d2
2 changed files with 38 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
oauthproxy.go
View File

@ -504,11 +504,27 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
if err != nil { if err != nil {
return false return false
} }
redirectHostname := redirectURL.Hostname()
for _, domain := range p.whitelistDomains { for _, domain := range p.whitelistDomains {
if (redirectURL.Hostname() == domain) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectURL.Hostname(), domain)) { domainURL := url.URL{
Host: strings.TrimLeft(domain, "."),
}
domainHostname := domainURL.Hostname()
if domainHostname == "" {
continue
}
if (redirectHostname == domainHostname) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) {
// if the domain has a port, only allow that port
// otherwise allow any port
domainPort := domainURL.Port()
if (domainPort == "") || (domainPort == redirectURL.Port()) {
return true return true
} }
} }
}
return false return false
default: default:
return false return false

25
oauthproxy_test.go
View File

@ -182,7 +182,7 @@ func TestIsValidRedirect(t *testing.T) {
opts.ClientSecret = "fgkdsgj" opts.ClientSecret = "fgkdsgj"
opts.CookieSecret = "ljgiogbj" opts.CookieSecret = "ljgiogbj"
// Should match domains that are exactly foo.bar and any subdomain of bar.foo // Should match domains that are exactly foo.bar and any subdomain of bar.foo
opts.WhitelistDomains = []string{"foo.bar", ".bar.foo"} opts.WhitelistDomains = []string{"foo.bar", ".bar.foo", "port.bar:8080", ".sub.port.bar:8080"}
opts.Validate() opts.Validate()
proxy := NewOAuthProxy(opts, func(string) bool { return true }) proxy := NewOAuthProxy(opts, func(string) bool { return true })
@ -226,11 +226,26 @@ func TestIsValidRedirect(t *testing.T) {
invalidHTTPS2 := proxy.IsValidRedirect("https://evil.corp/redirect?rd=foo.bar") invalidHTTPS2 := proxy.IsValidRedirect("https://evil.corp/redirect?rd=foo.bar")
assert.Equal(t, false, invalidHTTPS2) assert.Equal(t, false, invalidHTTPS2)
validPort := proxy.IsValidRedirect("http://foo.bar:3838/redirect") invalidPort := proxy.IsValidRedirect("https://evil.corp:3838/redirect")
assert.Equal(t, true, validPort) assert.Equal(t, false, invalidPort)
validPortSubdomain := proxy.IsValidRedirect("http://baz.bar.foo:3838/redirect") validAnyPort := proxy.IsValidRedirect("http://foo.bar:3838/redirect")
assert.Equal(t, true, validPortSubdomain) assert.Equal(t, true, validAnyPort)
validAnyPortSubdomain := proxy.IsValidRedirect("http://baz.bar.foo:3838/redirect")
assert.Equal(t, true, validAnyPortSubdomain)
validSpecificPort := proxy.IsValidRedirect("http://port.bar:8080/redirect")
assert.Equal(t, true, validSpecificPort)
invalidSpecificPort := proxy.IsValidRedirect("http://port.bar:3838/redirect")
assert.Equal(t, false, invalidSpecificPort)
validSpecificPortSubdomain := proxy.IsValidRedirect("http://foo.sub.port.bar:8080/redirect")
assert.Equal(t, true, validSpecificPortSubdomain)
invalidSpecificPortSubdomain := proxy.IsValidRedirect("http://foo.sub.port.bar:3838/redirect")
assert.Equal(t, false, invalidSpecificPortSubdomain)
} }
type TestProvider struct { type TestProvider struct {