Merge pull request from GHSA-4mf2-f3wh-gvf2

oauthproxy.go

@@ -437,21 +437,23 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 		}
 		redirectHostname := redirectURL.Hostname()
 
-		for _, domain := range p.whitelistDomains {
+		for _, allowedDomain := range p.whitelistDomains {
-			domainHostname, domainPort := splitHostPort(strings.TrimLeft(domain, "."))
+			allowedHost, allowedPort := splitHostPort(allowedDomain)
-			if domainHostname == "" {
+			if allowedHost == "" {
 				continue
 			}
 
-			if (redirectHostname == domainHostname) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) {
+			if redirectHostname == strings.TrimPrefix(allowedHost, ".") ||
+				(strings.HasPrefix(allowedHost, ".") &&
+					strings.HasSuffix(redirectHostname, allowedHost)) {
 				// the domain names match, now validate the ports
 				// if the whitelisted domain's port is '*', allow all ports
 				// if the whitelisted domain contains a specific port, only allow that port
 				// if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https
 				redirectPort := redirectURL.Port()
-				if (domainPort == "*") ||
+				if allowedPort == "*" ||
-					(domainPort == redirectPort) ||
+					allowedPort == redirectPort ||
-					(domainPort == "" && redirectPort == "") {
+					(allowedPort == "" && redirectPort == "") {
 					return true
 				}
 			}

oauthproxy_test.go

@@ -298,6 +298,11 @@ func TestIsValidRedirect(t *testing.T) {
 			Redirect:       "/\t/\t\\evil.com",
 			ExpectedResult: false,
 		},
+		{
+			Desc:           "openRedirectPartialSubdomain",
+			Redirect:       "http://evilbar.foo",
+			ExpectedResult: false,
+		},
 	}
 
 	for _, tc := range testCases {