From e7033b34dc41477cbea0090839de2c5c1f507d3b Mon Sep 17 00:00:00 2001 From: Colin Adler Date: Mon, 4 Mar 2024 18:46:22 +0000 Subject: [PATCH 1/2] chore: add patch notes for v2.8.4 --- docs/changelogs/v2.8.4.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/changelogs/v2.8.4.md diff --git a/docs/changelogs/v2.8.4.md b/docs/changelogs/v2.8.4.md new file mode 100644 index 0000000000000..bebb135b7e637 --- /dev/null +++ b/docs/changelogs/v2.8.4.md @@ -0,0 +1,20 @@ +## Changelog + +All users are recommended to upgrade to a version that patches +[GHSA-7cc2-r658-7xpf](https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf) +as soon as possible if they are using OIDC authentication with the +`CODER_OIDC_EMAIL_DOMAIN` setting. + +### Security + +- Fixes [GHSA-7cc2-r658-7xpf](https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf) + +Compare: [`v2.8.3...v2.8.4`](https://github.com/coder/coder/compare/v2.8.3...v2.8.4) + +## Container image + +- `docker pull ghcr.io/coder/coder:v2.8.4` + +## Install/upgrade + +Refer to our docs to [install](https://coder.com/docs/v2/latest/install) or [upgrade](https://coder.com/docs/v2/latest/admin/upgrade) Coder, or use a release asset below. From 2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb Mon Sep 17 00:00:00 2001 From: Colin Adler Date: Mon, 4 Mar 2024 11:52:03 -0600 Subject: [PATCH 2/2] Merge pull request from GHSA-7cc2-r658-7xpf This fixes a vulnerability with the `CODER_OIDC_EMAIL_DOMAIN` option, where users with a superset of the allowed email domain would be allowed to login. For example, given `CODER_OIDC_EMAIL_DOMAIN=google.com`, a user would be permitted entry if their email domain was `colin-google.com`. (cherry picked from commit 4439a920e454a82565e445e4376c669e3b89591c) --- coderd/userauth.go | 12 ++++++++++-- coderd/userauth_test.go | 11 +++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index dbb01f12e31ad..8b50353db2cd4 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -928,15 +928,23 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { if len(api.OIDCConfig.EmailDomain) > 0 { ok = false + emailSp := strings.Split(email, "@") + if len(emailSp) == 1 { + httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ + Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain), + }) + return + } + userEmailDomain := emailSp[len(emailSp)-1] for _, domain := range api.OIDCConfig.EmailDomain { - if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) { + if strings.EqualFold(userEmailDomain, domain) { ok = true break } } if !ok { httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ - Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain), + Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain), }) return } diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go index e502b7b4cc780..06109bfff2b75 100644 --- a/coderd/userauth_test.go +++ b/coderd/userauth_test.go @@ -757,6 +757,17 @@ func TestUserOIDC(t *testing.T) { "kwc.io", }, StatusCode: http.StatusOK, + }, { + Name: "EmailDomainSubset", + IDTokenClaims: jwt.MapClaims{ + "email": "colin@gmail.com", + "email_verified": true, + }, + AllowSignups: true, + EmailDomain: []string{ + "mail.com", + }, + StatusCode: http.StatusForbidden, }, { Name: "EmptyClaims", IDTokenClaims: jwt.MapClaims{},