feat: Allow wildcard domains for redirect_to checks #1528
Conversation
driver/config/config.go
Outdated
| continue | ||
| } | ||
| eTLD, icann := publicsuffix.PublicSuffix(parsed.Host) | ||
| if parsed.Host[:1] == "*" && |
There was a problem hiding this comment.
This panics if host is an empty string. Also, what about foo.*.bar?
There was a problem hiding this comment.
Most of the cases I can think of is adding some return domain eg: page1.foo.bar or page2.foo.bar where those changes are valid. If we want to make more complicated situations work I would probably go with regex, but is this case really needed?
| @@ -55,6 +55,14 @@ func SecureRedirectOverrideDefaultReturnTo(defaultReturnTo *url.URL) SecureRedir | |||
| } | |||
| } | |||
|
|
|||
| // SecureRedirectToIsWhitelisted validates if the redirect_to param is allowed for a given wildcard | |||
| func SecureRedirectToIsWhiteListedHost(returnTo *url.URL, allowed url.URL) bool { | |||
There was a problem hiding this comment.
Could you please add tests for this?
x/http_secure_redirect.go
Outdated
| // SecureRedirectToIsWhitelisted validates if the redirect_to param is allowed for a given wildcard | ||
| func SecureRedirectToIsWhiteListedHost(returnTo *url.URL, allowed url.URL) bool { | ||
| if allowed.Host != "" && allowed.Host[:1] == "*" { | ||
| return strings.HasSuffix(returnTo.Host, allowed.Host[1:]) |
There was a problem hiding this comment.
What's the plan for case sensitivity here?
- On documentation, the function docstring is ambiguous,
- when wildcards are used, the match is case-sensitive,
- when wildcards are not used, the match is case-insensitive.
To follow the principle of least surprise, you might want to do one of
- Do strings.HasSuffix(strings.ToLower(returnTo.Host), strings.ToLower(allowed.Host[1:]) here to be case-insensitive.
- .. or do return allowed.Host == returnTo.Host few lines later to be case-sensitive.
- .. or mention this semi-case-insensitivity behavior in the function comment if it is intentional and preferred.
There was a problem hiding this comment.
Hostnames are case insensitive, so the correct approach would be to have the wildcard matches also case insensitive :)
|
While the PR is being worked on I will mark it as a draft. That declutters our review backlog :) Once you're done with your changes and would like someone to review them, mark the PR as ready and request a review from one of the maintainers. Thank you! |
|
@abador are you still up for the changes or should I close this? |
abador
changed the title
…rect-to-domains # Conflicts: # driver/config/config.go # go.mod
|
@aeneasr it seems that e2e tests are failing, but it doesn't look it's connected to my changes. If we really need a solution that works with wildcards inside a subdomain please ping me |
|
I tried pushing some changes required for merging the PR to your fork & branch, but it appears that I am not allowed to do so 😕 But the good news is, giving access is easy! If the repository belongs to an organization, please add me for the project as a collaborator! |
There was a problem hiding this comment.
Great! Now, one last thing :) We need to document it! Could you please add some docs here: https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion
Thank you! 🙏
I've added some more docs in my last commit. |
|
Great stuff! |
Updated example for `allowed_return_urls` to include wildcard url. [Merged PR from 2021](ory#1528)
Related issue
resolves #943
@aeneasr
Proposed changes
Allow to whitelist a wildcard domain. Domains are filtered out using golang.org/x/net/publicsuffix
Checklist
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further comments