go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-02 23:27:22 +02:00
Code Issues Releases Activity

Ensure that cookie names over 256 characters are rejected by validation

Browse Source
This commit is contained in:
Joel Speed 2020-07-04 16:08:12 +01:00
parent eb933cc3f4
commit 3e13f3197f
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
2 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/validation/cookie.go
View File

@ -35,11 +35,17 @@ func validateCookie(o options.Cookie) []string {
} }
func validateCookieName(name string) []string { func validateCookieName(name string) []string {
msgs := []string{}
cookie := &http.Cookie{Name: name} cookie := &http.Cookie{Name: name}
if cookie.String() == "" { if cookie.String() == "" {
return []string{fmt.Sprintf("invalid cookie name: %q", name)} msgs = append(msgs, fmt.Sprintf("invalid cookie name: %q", name))
} }
return []string{}
if len(name) > 256 {
msgs = append(msgs, fmt.Sprintf("cookie name should be under 256 characters: cookie name is %d characters", len(name)))
}
return msgs
} }
func validateCookieSecret(secret string) []string { func validateCookieSecret(secret string) []string {

23
pkg/validation/cookie_test.go
View File

@ -1,6 +1,7 @@
package validation package validation
import ( import (
"strings"
"testing" "testing"
"time" "time"
@ -9,8 +10,12 @@ import (
) )
func TestValidateCookie(t *testing.T) { func TestValidateCookie(t *testing.T) {
alphabet := "abcdefghijklmnopqrstuvwxyz"
validName := "_oauth2_proxy" validName := "_oauth2_proxy"
invalidName := "_oauth2;proxy" // Separater character not allowed invalidName := "_oauth2;proxy" // Separater character not allowed
// 10 times the alphabet should be longer than 256 characters
longName := strings.Repeat(alphabet, 10)
validSecret := "secretthirtytwobytes+abcdefghijk" validSecret := "secretthirtytwobytes+abcdefghijk"
invalidSecret := "abcdef" // 6 bytes is not a valid size invalidSecret := "abcdef" // 6 bytes is not a valid size
validBase64Secret := "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams" // Base64 encoding of "secretthirtytwobytes+abcdefghijk" validBase64Secret := "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams" // Base64 encoding of "secretthirtytwobytes+abcdefghijk"
@ -25,6 +30,7 @@ func TestValidateCookie(t *testing.T) {
} }
invalidNameMsg := "invalid cookie name: \"_oauth2;proxy\"" invalidNameMsg := "invalid cookie name: \"_oauth2;proxy\""
longNameMsg := "cookie name should be under 256 characters: cookie name is 260 characters"
missingSecretMsg := "missing setting: cookie-secret" missingSecretMsg := "missing setting: cookie-secret"
invalidSecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 6 bytes" invalidSecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 6 bytes"
invalidBase64SecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 10 bytes" invalidBase64SecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 10 bytes"
@ -134,6 +140,23 @@ func TestValidateCookie(t *testing.T) {
invalidNameMsg, invalidNameMsg,
}, },
}, },
{
name: "with a name that is too long",
cookie: options.Cookie{
Name: longName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
longNameMsg,
},
},
{ {
name: "with refresh longer than expire", name: "with refresh longer than expire",
cookie: options.Cookie{ cookie: options.Cookie{