From 3f7837b9559684064f0c82d1edea8bfca4b62957 Mon Sep 17 00:00:00 2001
From: Phil Taprogge <phil.taprogge@snyk.io>
Date: Thu, 2 Apr 2020 09:51:38 +0100
Subject: [PATCH] Add logging in case of invalid redirects (#471)

* Add logging in case of invalid redirects

* update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---
 CHANGELOG.md  | 1 +
 oauthproxy.go | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab41f12a..78575adb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@
   - Release images moved to `quay.io/oauth2-proxy/oauth2-proxy`
   - Binaries renamed from `oauth2_proxy` to `oauth2-proxy`
 - [#432](https://github.com/oauth2-proxy/oauth2-proxy/pull/432) Update ruby dependencies for documentation (@theobarberbany)
+- [#471](https://github.com/oauth2-proxy/oauth2-proxy/pull/471) Add logging in case of invalid redirects (@gargath)
 
 # v5.1.0
 
diff --git a/oauthproxy.go b/oauthproxy.go
index 1dbe78b4..49323d2e 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -576,6 +576,7 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 	case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
 		redirectURL, err := url.Parse(redirect)
 		if err != nil {
+			logger.Printf("Rejecting invalid redirect %q: scheme unsupported or missing", redirect)
 			return false
 		}
 		redirectHostname := redirectURL.Hostname()
@@ -600,8 +601,10 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 			}
 		}
 
+		logger.Printf("Rejecting invalid redirect %q: domain / port not in whitelist", redirect)
 		return false
 	default:
+		logger.Printf("Rejecting invalid redirect %q: not an absolute or relative URL", redirect)
 		return false
 	}
 }