Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double slash in URLs causes CSRF issues #779

Closed
aeneasr opened this issue Oct 20, 2020 · 0 comments
Closed

Double slash in URLs causes CSRF issues #779

aeneasr opened this issue Oct 20, 2020 · 0 comments
Labels
feat New feature or request. good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one.
Milestone
v0.7.0-alpha.1

Comments

@aeneasr
Copy link
Member

aeneasr commented Oct 20, 2020

Describe the bug

Using a double-slash - usually on accident https://my-kratos//foo/bar - in URLs will cause the nosurf handler to ignore ExempPath which leads to hard to debug errors for API flows.

Reproducing the bug

Try to POST an API flow with a double slash in the URL to e.g. the password method.

Server logs

-encoding:gzip, deflate, br accept-language:en-us user-agent:Expo/2.17.4.101 CFNetwork/1197 Darwin/19.6.0 x-forwarded-for:2001:a61:1206:c401:c06f:dbf9:35e8:3e26 x-forwarded-proto:https] host:5a27986377c9.ngrok.io method:POST path://self-service/registration/methods/password query:flow=774b929f-5b38-493e-b956-17264136c7ec remote:172.19.0.1:43000 scheme:http] http_response=map[status_code:400] service_name=kratos service_version=
kratos_1                      | time=2020-10-20T06:58:10Z level=info msg=started handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/x@v0.0.153/reqlog/middleware.go:131 method=POST name=public#http://127.0.0.1:4433/ remote=172.19.0.1:43000 request=//self-service/registration/methods/password?flow=774b929f-5b38-493e-b956-17264136c7ec
kratos_1                      | time=2020-10-20T06:58:10Z level=inf

Expected behavior

This should be handled gracefully.

Environment

  • v0.5.1-alpha.1
@aeneasr aeneasr added feat New feature or request. help wanted We are looking for help on this one. good first issue A good issue to tackle when being a novice to the project. labels Oct 20, 2020
@aeneasr aeneasr added this to the v0.7.0-alpha.1 milestone Oct 20, 2020
aeneasr added a commit that referenced this issue Oct 22, 2020
@aeneasr
fix: gracefully handle double slashes in URLs
dec0c24 
Closes #779
aeneasr added a commit that referenced this issue Oct 22, 2020
@aeneasr
fix: gracefully handle double slashes in URLs
b619c5d 
Closes #779
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one.
Projects
None yet
Milestone
v0.7.0-alpha.1
Development

No branches or pull requests
1 participant
@aeneasr