From cee777b874cf28386f47e53cb5de6aba8e69f4e1 Mon Sep 17 00:00:00 2001 From: Scott Nelson Date: Fri, 13 Oct 2023 09:54:55 +0200 Subject: [PATCH] fix: Make sure Okta iss has proper form --- codecov_auth/tests/unit/views/test_okta.py | 10 ++++++++++ codecov_auth/views/okta.py | 6 +++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/codecov_auth/tests/unit/views/test_okta.py b/codecov_auth/tests/unit/views/test_okta.py index 1df804cce..e9ed04d96 100644 --- a/codecov_auth/tests/unit/views/test_okta.py +++ b/codecov_auth/tests/unit/views/test_okta.py @@ -168,6 +168,16 @@ def test_okta_redirect_to_authorize_no_iss(client): assert res.url == f"{settings.CODECOV_DASHBOARD_URL}/login" +@override_settings( + OKTA_OAUTH_CLIENT_ID="test-client-id", + OKTA_OAUTH_REDIRECT_URL="https://localhost:8000/login/okta", +) +def test_okta_redirect_to_authorize_invalid_iss(client): + res = client.get(reverse("okta-login"), data={"iss": "https://non.okta.domain"}) + assert res.status_code == 302 + assert res.url == f"{settings.CODECOV_DASHBOARD_URL}/login" + + @override_settings( OKTA_OAUTH_CLIENT_ID="test-client-id", OKTA_OAUTH_CLIENT_SECRE="test-client-secret", diff --git a/codecov_auth/views/okta.py b/codecov_auth/views/okta.py index ac97f8a1b..6dd7228d3 100644 --- a/codecov_auth/views/okta.py +++ b/codecov_auth/views/okta.py @@ -1,6 +1,6 @@ import json import logging -import uuid +import re from typing import Dict, Optional from urllib.parse import urlencode @@ -18,6 +18,7 @@ from utils.services import get_short_service_name log = logging.getLogger(__name__) +iss_regex = re.compile(r"https://[\w\d\-\_]+.okta.com/?") def validate_id_token(iss: str, id_token: str) -> dict: @@ -186,4 +187,7 @@ def get(self, request): if not iss: log.warning("Missing Okta issuer") return redirect(f"{settings.CODECOV_DASHBOARD_URL}/login") + if not iss_regex.match(iss): + log.warning("Invalid Okta issuer") + return redirect(f"{settings.CODECOV_DASHBOARD_URL}/login") return self._redirect_to_consent(iss=iss)