codecov · scott-codecov · Oct 17, 2023 · Oct 13, 2023 · Oct 13, 2023 · Oct 17, 2023
diff --git a/codecov_auth/tests/unit/views/test_okta.py b/codecov_auth/tests/unit/views/test_okta.py
@@ -168,6 +168,16 @@ def test_okta_redirect_to_authorize_no_iss(client):
     assert res.url == f"{settings.CODECOV_DASHBOARD_URL}/login"
 
 
+@override_settings(
+    OKTA_OAUTH_CLIENT_ID="test-client-id",
+    OKTA_OAUTH_REDIRECT_URL="https://localhost:8000/login/okta",
+)
+def test_okta_redirect_to_authorize_invalid_iss(client):
+    res = client.get(reverse("okta-login"), data={"iss": "https://non.okta.domain"})
+    assert res.status_code == 302
+    assert res.url == f"{settings.CODECOV_DASHBOARD_URL}/login"
+
+
 @override_settings(
     OKTA_OAUTH_CLIENT_ID="test-client-id",
     OKTA_OAUTH_CLIENT_SECRE="test-client-secret",

diff --git a/codecov_auth/views/okta.py b/codecov_auth/views/okta.py
@@ -1,6 +1,6 @@
 import json
 import logging
-import uuid
+import re
 from typing import Dict, Optional
 from urllib.parse import urlencode
 
@@ -18,6 +18,7 @@
 from utils.services import get_short_service_name
 
 log = logging.getLogger(__name__)
+iss_regex = re.compile(r"https://[\w\d\-\_]+.okta.com/?")
 
 
 def validate_id_token(iss: str, id_token: str) -> dict:
@@ -186,4 +187,7 @@ def get(self, request):
             if not iss:
                 log.warning("Missing Okta issuer")
                 return redirect(f"{settings.CODECOV_DASHBOARD_URL}/login")
+            if not iss_regex.match(iss):
+                log.warning("Invalid Okta issuer")
+                return redirect(f"{settings.CODECOV_DASHBOARD_URL}/login")
             return self._redirect_to_consent(iss=iss)