Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-4mf2-f3wh-gvf2
  • Loading branch information
NickMeves committed Feb 1, 2021
1 parent 48b1658 commit 780ae4f
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
16 changes: 9 additions & 7 deletions oauthproxy.go
Expand Up @@ -437,21 +437,23 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
}
redirectHostname := redirectURL.Hostname()

for _, domain := range p.whitelistDomains {
domainHostname, domainPort := splitHostPort(strings.TrimLeft(domain, "."))
if domainHostname == "" {
for _, allowedDomain := range p.whitelistDomains {
allowedHost, allowedPort := splitHostPort(allowedDomain)
if allowedHost == "" {
continue
}

if (redirectHostname == domainHostname) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) {
if redirectHostname == strings.TrimPrefix(allowedHost, ".") ||
(strings.HasPrefix(allowedHost, ".") &&
strings.HasSuffix(redirectHostname, allowedHost)) {
// the domain names match, now validate the ports
// if the whitelisted domain's port is '*', allow all ports
// if the whitelisted domain contains a specific port, only allow that port
// if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https
redirectPort := redirectURL.Port()
if (domainPort == "*") ||
(domainPort == redirectPort) ||
(domainPort == "" && redirectPort == "") {
if allowedPort == "*" ||
allowedPort == redirectPort ||
(allowedPort == "" && redirectPort == "") {
return true
}
}
Expand Down
5 changes: 5 additions & 0 deletions oauthproxy_test.go
Expand Up @@ -298,6 +298,11 @@ func TestIsValidRedirect(t *testing.T) {
Redirect: "/\t/\t\\evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectPartialSubdomain",
Redirect: "http://evilbar.foo",
ExpectedResult: false,
},
}

for _, tc := range testCases {
Expand Down

0 comments on commit 780ae4f

Please sign in to comment.