Merge pull request from GHSA-5m6c-jp6f-2vcv

* Add more Open Redirect test cases * Add whitelisted domain to test * Add more test cases * Improve invalid redirect regex
2025-06-15 00:15:00 +02:00 · 2020-06-27 12:07:24 +01:00
parent 1b6c54cae1
commit ee5662e0f5
3 changed files with 641 additions and 1 deletions
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@ -1,6 +1,7 @@
 package main

 import (
+	"bufio"
 	"context"
 	"crypto"
 	"encoding/base64"
@ -11,6 +12,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"regexp"
 	"strings"
 	"testing"
@ -386,6 +388,41 @@ func TestIsValidRedirect(t *testing.T) {
 			Redirect:       "/\r\\evil.com",
 			ExpectedResult: false,
 		},
+		{
+			Desc:           "openRedirectTripleTab",
+			Redirect:       "/\t\t/\t/evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectTripleTab2",
+			Redirect:       "/\t\t\\\t/evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectQuadTab1",
+			Redirect:       "/\t\t/\t\t\\evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectQuadTab2",
+			Redirect:       "/\t\t\\\t\t/evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectPeriod1",
+			Redirect:       "/./\\evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectPeriod2",
+			Redirect:       "/./../../\\evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectDoubleTab",
+			Redirect:       "/\t/\t\\evil.com",
+			ExpectedResult: false,
+		},
 	}

 	for _, tc := range testCases {
@ -399,6 +436,50 @@ func TestIsValidRedirect(t *testing.T) {
 	}
 }

+func TestOpenRedirects(t *testing.T) {
+	opts := NewOptions()
+	opts.ClientID = "skdlfj"
+	opts.ClientSecret = "fgkdsgj"
+	opts.Cookie.Secret = "ljgiogbj"
+	// Should match domains that are exactly foo.bar and any subdomain of bar.foo
+	opts.WhitelistDomains = []string{
+		"foo.bar",
+		".bar.foo",
+		"port.bar:8080",
+		".sub.port.bar:8080",
+		"anyport.bar:*",
+		".sub.anyport.bar:*",
+		"www.whitelisteddomain.tld",
+	}
+	opts.Validate()
+
+	proxy := NewOAuthProxy(opts, func(string) bool { return true })
+
+	file, err := os.Open("./test/openredirects.txt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		rd := scanner.Text()
+		t.Run(rd, func(t *testing.T) {
+			rdUnescaped, err := url.QueryUnescape(rd)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if proxy.IsValidRedirect(rdUnescaped) {
+				t.Errorf("Expected %q to not be valid (unescaped: %q)", rd, rdUnescaped)
+			}
+		})
+	}
+
+	if err := scanner.Err(); err != nil {
+		t.Fatal(err)
+	}
+}
+
 type TestProvider struct {
 	*providers.ProviderData
 	EmailAddress   string