Skip to content

security: harden OAuth discovery and token endpoints#480

Open
jeremy wants to merge 1 commit into
security/02-output-ansi-sanitizefrom
security/03-oauth-hardening
Open

security: harden OAuth discovery and token endpoints#480
jeremy wants to merge 1 commit into
security/02-output-ansi-sanitizefrom
security/03-oauth-hardening

Conversation

@jeremy
Copy link
Copy Markdown
Member

@jeremy jeremy commented May 30, 2026
edited
Loading

Harden OAuth discovery and token endpoints

(Threat: T1 malicious/compromised OAuth/discovery server.)

  • authorization_endpoint scheme validation (auth.go buildAuthURL): the endpoint comes from the server-controlled discovery doc and is later handed to OpenBrowserxdg-open/open. Now required to be https (or http on loopback); a file:///--leading value is rejected before dispatch.
  • registration_endpoint HTTPS (registerBC3Client): the DCR path now calls RequireSecureURL, matching the token-exchange and launchpad paths.
  • No-redirect OAuth client (appctx/context.go): CheckRedirect: ErrUseLastResponse. The exchange/refresh requests set GetBody, so Go would replay refresh_token/auth code to a redirect target; RFC 6749 token endpoints don't legitimately 3xx-redirect POSTs. Mirrors the SDK API client's redirect guard.

Tests

TestBuildAuthURL_RejectsUnsafeScheme (accepts https / http-loopback, rejects file://, foreign http://, javascript:, -flag).

Part 3/6 of the stacked security series. Base: security/02-output-ansi-sanitize.

📚 Stack (merge bottom-up)

  1. security: reject foreign-host URLs in api to prevent token leak #478 — reject foreign-host URLs in api (base main)
  2. security: strip ANSI/OSC escapes from API-controlled output #479 — strip ANSI/OSC escapes from output
  3. security: harden OAuth discovery and token endpoints #480 — harden OAuth discovery / token endpoints
  4. security: close config trust-boundary gaps and gate completion loader #481 — close config trust-boundary gaps + completion gate
  5. security: tighten config-dir perms and validate plugin scope argv #482 — tighten config-dir perms + plugin scope argv
  6. security: bump toolchain/x-net for CVEs and tighten CI gates #483 — bump toolchain/x-net + CI gates

Each is independent except #482 depends on #481 (shared root.go). #478 can land first/alone.

Copilot AI review requested due to automatic review settings May 30, 2026 05:58
@github-actions github-actions Bot added tests Tests (unit and e2e) auth OAuth authentication labels May 30, 2026
This was referenced May 30, 2026
Open
Open
Open
Open
Open
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens OAuth discovery-derived endpoints to reduce protocol abuse and credential replay risk when interacting with potentially malicious OAuth/discovery servers.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

  • Validates authorization endpoints before browser dispatch, allowing only HTTPS or loopback HTTP.
  • Validates BC3 dynamic client registration endpoints with existing secure URL checks.
  • Disables redirects for the auth HTTP client used by OAuth discovery/token refresh and adds coverage for unsafe authorization schemes.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
internal/auth/auth.go Adds endpoint validation for dynamic registration and authorization URL construction.
internal/auth/auth_test.go Adds regression coverage for accepted/rejected authorization endpoint schemes.
internal/appctx/context.go Configures the auth HTTP client to avoid following redirects.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread internal/appctx/context.go Outdated
@jeremy jeremy force-pushed the security/02-output-ansi-sanitize branch from 7b1d3ea to 61aea03 Compare May 30, 2026 06:05
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from d858f7f to 9e7bb58 Compare May 30, 2026 06:05
@github-actions github-actions Bot added the bug Something isn't working label May 30, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e7bb58e48

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/appctx/context.go Outdated
@jeremy jeremy force-pushed the security/02-output-ansi-sanitize branch from 61aea03 to e06c5c2 Compare May 30, 2026 06:13
Copilot AI review requested due to automatic review settings May 30, 2026 06:13
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 9e7bb58 to 3f9352d Compare May 30, 2026 06:13
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread internal/auth/auth.go Outdated
@jeremy jeremy force-pushed the security/02-output-ansi-sanitize branch from e06c5c2 to 9103d13 Compare May 30, 2026 06:23
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 3f9352d to 396ecac Compare May 30, 2026 06:24
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 396ecac645

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/appctx/context.go Outdated
Copilot AI review requested due to automatic review settings May 30, 2026 07:51
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 396ecac to 6a3a964 Compare May 30, 2026 07:51
@jeremy jeremy force-pushed the security/02-output-ansi-sanitize branch from 9103d13 to dd63a13 Compare May 30, 2026 07:51
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread internal/auth/auth.go Outdated
@jeremy jeremy force-pushed the security/02-output-ansi-sanitize branch from dd63a13 to 4566262 Compare May 30, 2026 08:27
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 6a3a964 to 8add014 Compare May 30, 2026 08:27
@jeremy jeremy force-pushed the security/02-output-ansi-sanitize branch from 4566262 to c7b69c7 Compare May 30, 2026 08:51
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 8add014 to 159b0ef Compare May 30, 2026 08:51
Copilot AI review requested due to automatic review settings May 30, 2026 08:51
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread internal/appctx/context.go
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 159b0ef to 472188d Compare May 30, 2026 09:12
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 472188d466

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/appctx/context.go Outdated
@jeremy
Harden OAuth discovery and token endpoints
e97f2a9 
- Scheme-validate the discovery authorization_endpoint (https, or http on
  loopback) before it's dispatched to the OS browser launcher, so a hostile
  discovery doc can't hand the OS a file:// (or other) URL.
- Enforce RequireSecureURL on the DCR registration_endpoint.
- Set CheckRedirect on the OAuth HTTP client so token exchange/refresh POST
  bodies (auth code, refresh_token) aren't replayed to a redirect target.
  Idempotent GET/HEAD (OAuth discovery) may still follow redirects, so we
  don't break discovery or force an unintended Launchpad fallback.
Copilot AI review requested due to automatic review settings May 30, 2026 09:34
@jeremy jeremy force-pushed the security/03-oauth-hardening branch from 472188d to e97f2a9 Compare May 30, 2026 09:34
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

auth OAuth authentication bug Something isn't working tests Tests (unit and e2e)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremy