go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-27 00:51:33 +02:00
Code Issues Releases Activity

update port whitelisting rules, refactor IsValidRedirect tests

Browse Source
This commit is contained in:
Kamal Nasser
2019-10-23 16:38:44 +03:00
parent ae4e9155d2
commit a12bae35ca
2 changed files with 193 additions and 67 deletions

204
oauthproxy_test.go

@ -182,70 +182,158 @@ func TestIsValidRedirect(t *testing.T) {
opts.ClientSecret = "fgkdsgj"
opts.CookieSecret = "ljgiogbj"
// Should match domains that are exactly foo.bar and any subdomain of bar.foo
opts.WhitelistDomains = []string{"foo.bar", ".bar.foo", "port.bar:8080", ".sub.port.bar:8080"}
opts.WhitelistDomains = []string{
"foo.bar",
".bar.foo",
"port.bar:8080",
".sub.port.bar:8080",
"anyport.bar:*",
".sub.anyport.bar:*",
}
opts.Validate()
proxy := NewOAuthProxy(opts, func(string) bool { return true })
noRD := proxy.IsValidRedirect("")
assert.Equal(t, false, noRD)
testCases := []struct {
Desc, Redirect string
ExpectedResult bool
}{
{
Desc: "noRD",
Redirect: "",
ExpectedResult: false,
},
{
Desc: "singleSlash",
Redirect: "/redirect",
ExpectedResult: true,
},
{
Desc: "doubleSlash",
Redirect: "//redirect",
ExpectedResult: false,
},
{
Desc: "validHTTP",
Redirect: "http://foo.bar/redirect",
ExpectedResult: true,
},
{
Desc: "validHTTPS",
Redirect: "https://foo.bar/redirect",
ExpectedResult: true,
},
{
Desc: "invalidHTTPSubdomain",
Redirect: "http://baz.foo.bar/redirect",
ExpectedResult: false,
},
{
Desc: "invalidHTTPSSubdomain",
Redirect: "https://baz.foo.bar/redirect",
ExpectedResult: false,
},
{
Desc: "validHTTPSubdomain",
Redirect: "http://baz.bar.foo/redirect",
ExpectedResult: true,
},
{
Desc: "validHTTPSSubdomain",
Redirect: "https://baz.bar.foo/redirect",
ExpectedResult: true,
},
{
Desc: "validHTTPDomain",
Redirect: "http://bar.foo/redirect",
ExpectedResult: true,
},
{
Desc: "invalidHTTP1",
Redirect: "http://foo.bar.evil.corp/redirect",
ExpectedResult: false,
},
{
Desc: "invalidHTTPS1",
Redirect: "https://foo.bar.evil.corp/redirect",
ExpectedResult: false,
},
{
Desc: "invalidHTTP2",
Redirect: "http://evil.corp/redirect?rd=foo.bar",
ExpectedResult: false,
},
{
Desc: "invalidHTTPS2",
Redirect: "https://evil.corp/redirect?rd=foo.bar",
ExpectedResult: false,
},
{
Desc: "invalidPort",
Redirect: "https://evil.corp:3838/redirect",
ExpectedResult: false,
},
{
Desc: "invalidEmptyPort",
Redirect: "http://foo.bar:3838/redirect",
ExpectedResult: false,
},
{
Desc: "invalidEmptyPortSubdomain",
Redirect: "http://baz.bar.foo:3838/redirect",
ExpectedResult: false,
},
{
Desc: "validSpecificPort",
Redirect: "http://port.bar:8080/redirect",
ExpectedResult: true,
},
{
Desc: "invalidSpecificPort",
Redirect: "http://port.bar:3838/redirect",
ExpectedResult: false,
},
{
Desc: "validSpecificPortSubdomain",
Redirect: "http://foo.sub.port.bar:8080/redirect",
ExpectedResult: true,
},
{
Desc: "invalidSpecificPortSubdomain",
Redirect: "http://foo.sub.port.bar:3838/redirect",
ExpectedResult: false,
},
{
Desc: "validAnyPort1",
Redirect: "http://anyport.bar:8080/redirect",
ExpectedResult: true,
},
{
Desc: "validAnyPort2",
Redirect: "http://anyport.bar:8081/redirect",
ExpectedResult: true,
},
{
Desc: "validAnyPortSubdomain1",
Redirect: "http://a.sub.anyport.bar:8080/redirect",
ExpectedResult: true,
},
{
Desc: "validAnyPortSubdomain2",
Redirect: "http://a.sub.anyport.bar:8081/redirect",
ExpectedResult: true,
},
}
singleSlash := proxy.IsValidRedirect("/redirect")
assert.Equal(t, true, singleSlash)
for _, tc := range testCases {
t.Run(tc.Desc, func(t *testing.T) {
result := proxy.IsValidRedirect(tc.Redirect)
doubleSlash := proxy.IsValidRedirect("//redirect")
assert.Equal(t, false, doubleSlash)
validHTTP := proxy.IsValidRedirect("http://foo.bar/redirect")
assert.Equal(t, true, validHTTP)
validHTTPS := proxy.IsValidRedirect("https://foo.bar/redirect")
assert.Equal(t, true, validHTTPS)
invalidHTTPSubdomain := proxy.IsValidRedirect("http://baz.foo.bar/redirect")
assert.Equal(t, false, invalidHTTPSubdomain)
invalidHTTPSSubdomain := proxy.IsValidRedirect("https://baz.foo.bar/redirect")
assert.Equal(t, false, invalidHTTPSSubdomain)
validHTTPSubdomain := proxy.IsValidRedirect("http://baz.bar.foo/redirect")
assert.Equal(t, true, validHTTPSubdomain)
validHTTPSSubdomain := proxy.IsValidRedirect("https://baz.bar.foo/redirect")
assert.Equal(t, true, validHTTPSSubdomain)
invalidHTTP1 := proxy.IsValidRedirect("http://foo.bar.evil.corp/redirect")
assert.Equal(t, false, invalidHTTP1)
invalidHTTPS1 := proxy.IsValidRedirect("https://foo.bar.evil.corp/redirect")
assert.Equal(t, false, invalidHTTPS1)
invalidHTTP2 := proxy.IsValidRedirect("http://evil.corp/redirect?rd=foo.bar")
assert.Equal(t, false, invalidHTTP2)
invalidHTTPS2 := proxy.IsValidRedirect("https://evil.corp/redirect?rd=foo.bar")
assert.Equal(t, false, invalidHTTPS2)
invalidPort := proxy.IsValidRedirect("https://evil.corp:3838/redirect")
assert.Equal(t, false, invalidPort)
validAnyPort := proxy.IsValidRedirect("http://foo.bar:3838/redirect")
assert.Equal(t, true, validAnyPort)
validAnyPortSubdomain := proxy.IsValidRedirect("http://baz.bar.foo:3838/redirect")
assert.Equal(t, true, validAnyPortSubdomain)
validSpecificPort := proxy.IsValidRedirect("http://port.bar:8080/redirect")
assert.Equal(t, true, validSpecificPort)
invalidSpecificPort := proxy.IsValidRedirect("http://port.bar:3838/redirect")
assert.Equal(t, false, invalidSpecificPort)
validSpecificPortSubdomain := proxy.IsValidRedirect("http://foo.sub.port.bar:8080/redirect")
assert.Equal(t, true, validSpecificPortSubdomain)
invalidSpecificPortSubdomain := proxy.IsValidRedirect("http://foo.sub.port.bar:3838/redirect")
assert.Equal(t, false, invalidSpecificPortSubdomain)
if result != tc.ExpectedResult {
t.Errorf("expected %t got %t", tc.ExpectedResult, result)
}
})
}
}
type TestProvider struct {