go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-08-08 22:46:33 +02:00
Code Issues Releases Activity

Merge pull request from GHSA-j7px-6hwj-hpjg

Browse Source
This commit is contained in:
Joel Speed
2020-05-06 12:42:02 +01:00
committed by GitHub
parent 36da6e2be9
commit 0d5fa211df
2 changed files with 60 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
oauthproxy.go
View File

@ -57,6 +57,10 @@ var SignatureHeaders = []string{
var (
// ErrNeedsLogin means the user should be redirected to the login page
ErrNeedsLogin = errors.New("redirect to login page")
// Used to check final redirects are not susceptible to open redirects.
// Matches //, /\ and both of these with whitespace in between (eg / / or / \).
invalidRedirectRegex = regexp.MustCompile(`^/(\s|\v)?(/|\\)`)
)
// OAuthProxy is the main authentication proxy
@ -578,7 +582,7 @@ func validOptionalPort(port string) bool {
// IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch {
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !invalidRedirectRegex.MatchString(redirect):
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)