Neutralize unsafe (non-local) destination params #83
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Haven't included tests for this yet. Just let me know if this mergeable and I'll add them. |
This addresses a cover redirect vulnerability when the following is used as an authentication URL: http://domain.dev/auth/provider?destination=//google.com Covert redirects (https://www.owasp.org/index.php/Open_redirect) are often used in phishing scams by giving people a link that appears save but surreptitiously redirects them to a different domain. Once on that different domain (which can be designed to look like the original domain), users can be asked their password and give it away because they don't notice that they have been redirected to a different destination. This is not a vulnerability in itself, but used in combination with a rather simple phishing attack, this can be potentially dangerous.
olivierlacan
force-pushed
the
fix-covert-redirect-of-destination
branch
from
5091cbc to
aae9df3
Compare
Author
|
Not sure what these build errors are about to be honest: https://travis-ci.org/intridea/omniauth-oauth2/jobs/92181807#L155 |
Author
|
Just realized |
Author
|
Feels like I should close this and open a PR on omniauth itself to either add the fix as it is or add a new config to disable unsafe redirects on |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses a cover redirect vulnerability when the following is used as an
authentication URL:
http://domain.dev/auth/provider?destination=//google.com
Covert redirects (https://www.owasp.org/index.php/Open_redirect) are often used
in phishing scams by giving people a link that appears save but surreptitiously
redirects them to a different domain.
Once on that different domain (which can be designed to look like the original
domain), users can be asked their password and give it away because they don't
notice that they have been redirected to a different destination.
This is not a vulnerability in itself, but used in combination with a rather
simple phishing attack, this can be potentially dangerous.
PS: I previously tried to fix this on
OmniAuth::Strategybut it is specific to OAuth 2 and all strategies that override therequest_phasemethod defeat my original fix. That said I don't know if this is the ideal placeto fix this. It's just something I've tested and works for all our strategies that inherit from
OmniAuth::Strategies::OAuth2: omniauth-github, omniauth-facebook, and omniauth-gplus.