-
Notifications
You must be signed in to change notification settings - Fork 681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guard against open redirect URL parameters in login #4763
Conversation
Signed-off-by: Katrina Rogan <[email protected]>
Signed-off-by: Katrina Rogan <[email protected]>
Signed-off-by: Katrina Rogan <[email protected]>
Signed-off-by: Katrina Rogan <[email protected]>
Signed-off-by: Katrina Rogan <[email protected]>
Signed-off-by: Katrina Rogan <[email protected]>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #4763 +/- ##
==========================================
- Coverage 58.18% 58.17% -0.01%
==========================================
Files 626 626
Lines 53833 53862 +29
==========================================
+ Hits 31322 31336 +14
- Misses 20003 20016 +13
- Partials 2508 2510 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
flyteadmin/auth/handler_utils.go
Outdated
return url.Hostname() == authorizedURL.Hostname() && url.Port() == authorizedURL.Port() && url.Scheme == authorizedURL.Scheme | ||
} | ||
|
||
func GetRedirectURLAllowed(ctx context.Context, redirectParam string, cfg *config.Config) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: urlRedirectParam
@@ -141,6 +141,11 @@ func GetLoginHandler(ctx context.Context, authCtx interfaces.AuthenticationConte | |||
logger.Debugf(ctx, "Setting CSRF state cookie to %s and state to %s\n", csrfToken, state) | |||
url := authCtx.OAuth2ClientConfig(GetPublicURL(ctx, request, authCtx.Options())).AuthCodeURL(state) | |||
queryParams := request.URL.Query() | |||
if !GetRedirectURLAllowed(ctx, queryParams.Get(RedirectURLParameter), authCtx.Options()) { | |||
logger.Infof(ctx, "unauthorized redirect URI") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Info only
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is info!
Signed-off-by: Katrina Rogan <[email protected]>
dd5e6fa
Why are the changes needed?
Best practices recommend for not allowing open redirect URIs upon log-in, see https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being
What changes were proposed in this pull request?
This change uses flyteadmin's configured authorized URIs (for which flyteadmin is exposed and accessible) to validate redirect URIs
How was this patch tested?
Tested on a local deployment. Tried with
/login?redirect_url=http://www.google.com
which now fails and with a valid redirect to<flyteadmin>/console
which succeeded.Setup process
Screenshots
Check all the applicable boxes
Related PRs
Docs link