Skip to content

fix: limit OAuth redirects to local paths #14585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 10, 2024
Merged

fix: limit OAuth redirects to local paths #14585

merged 9 commits into from
Sep 10, 2024

Conversation

sreya
Copy link
Collaborator

@sreya sreya commented Sep 6, 2024
edited
Loading

  • This prevents a malicious user from crafting a redirect URL to a nefarious site under their control.

fixes https://github.com/coder/security/issues/57

@sreya
fix: limit OAuth redirects to local paths
0abbb7c 
- This prevents a malicious user from crafting a redirect
  URL to a nefarious site under their control.
sreya added 6 commits September 6, 2024 15:19
@sreya
hm
5e88d67
@sreya
Prevent malicious redirects in OAuth flows
7905003 
Introduce a utility function `uriFromURL` to strip host information from
redirect URLs, ensuring redirects remain local. This mitigates potential
security risks by preventing redirects to external malicious sites.

Changes:
- Modify OAuth2 and OIDC callback logic to utilize `uriFromURL`.
- Enhance related test cases for preventing external redirects.

This work ensures secure handling of redirect URLs across the application.
@sreya
Remove extra blank line in TestUserOIDC
8b4baf0 
- Removed an unnecessary blank line for code consistency.
@sreya
Refactor OIDC login redirection handling
0706f45 
- Improve handling of redirect logic in FakeIDP.
- Ensure existing CheckRedirect functions are respected.
- Enhance OIDC login test to handle redirects properly.
@sreya
Refactor OIDC login redirection handling
6f9baa8 
- Improve handling of redirect logic in FakeIDP by ensuring existing CheckRedirect functions are respected.
- Enhance related test cases for better testing of redirect behaviors.

Changes:
- Store claims if state is available before falling back to existing CheckRedirect.
- Ensure HTTP client transport is set to default in tests before assigning CheckRedirect.
@sreya
Remove debug print statement in FakeIDP
5b35a07 
Removing a leftover debug print statement to clean up the code.
@sreya sreya requested a review from Emyrk September 9, 2024 23:21
sreya added 2 commits September 9, 2024 23:29
@sreya
Refactor OIDC login redirection handling
4f8b28b 
- Prevent redirecting the last step in the OIDC flow involving the state
  parameter, ensuring it remains part of the core OIDC process.
- This ensures secure and consistent handling of redirects in the OIDC
  login flow.
@sreya
Fix OAuth redirect URL test
ef5fc1f 
Update the OAuth redirect URL test to exclude fragment

Previously, the test included a fragment in the constructed URL.
Removing the fragment ensures consistency with the actual URL format
used in the application.
Emyrk
Emyrk approved these changes Sep 10, 2024
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really clean solution to prevent redirects outside our domain 👍

@sreya sreya merged commit 328e696 into main Sep 10, 2024
26 checks passed
@sreya sreya deleted the jon/fixredirect branch September 10, 2024 14:58
@github-actions github-actions bot locked and limited conversation to collaborators Sep 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@sreya sreya

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sreya @Emyrk