Skip to content

fix: limit OAuth redirects to local paths #14585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 10, 2024
Merged

fix: limit OAuth redirects to local paths #14585

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0abbb7c
fix: limit OAuth redirects to local paths
sreya Sep 5, 2024
5e88d67
hm
sreya Sep 6, 2024
7905003
Prevent malicious redirects in OAuth flows
sreya Sep 9, 2024
8b4baf0
Remove extra blank line in TestUserOIDC
sreya Sep 9, 2024
0706f45
Refactor OIDC login redirection handling
sreya Sep 9, 2024
6f9baa8
Refactor OIDC login redirection handling
sreya Sep 9, 2024
5b35a07
Remove debug print statement in FakeIDP
sreya Sep 9, 2024
4f8b28b
Refactor OIDC login redirection handling
sreya Sep 9, 2024
ef5fc1f
Fix OAuth redirect URL test
sreya Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Fix OAuth redirect URL test 
Update the OAuth redirect URL test to exclude fragment

Previously, the test included a fragment in the constructed URL.
Removing the fragment ensures consistency with the actual URL format
used in the application.
  • Loading branch information
@sreya
sreya committed Sep 10, 2024
commit ef5fc1f104014891d2edf85e2612fa91ff5feb96
3 changes: 1 addition & 2 deletions coderd/httpmw/oauth2_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,8 @@ func TestOAuth2(t *testing.T) {
Host: "some.bad.domain.com",
Path: "/sadf/asdfasdf",
RawQuery: "foo=hello&bar=world",
Fragment: "my_section",
}
expectedValue := uri.Path + "?" + uri.RawQuery + "#" + uri.Fragment
expectedValue := uri.Path + "?" + uri.RawQuery
req := httptest.NewRequest("GET", "/?redirect="+url.QueryEscape(uri.String()), nil)
res := httptest.NewRecorder()
tp := newTestOAuth2Provider(t, oauth2.AccessTypeOffline)
Expand Down
Loading