From 4854f81592d5e24c1ff70ddc22687ac61a004144 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 15 Feb 2022 11:05:03 +0100 Subject: [PATCH] outposts/proxy: correctly handle ?rd= param Signed-off-by: Jens Langhammer #1997 --- internal/outpost/proxyv2/application/oauth.go | 38 ++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go index 044d2e072..14fb813b2 100644 --- a/internal/outpost/proxyv2/application/oauth.go +++ b/internal/outpost/proxyv2/application/oauth.go @@ -3,14 +3,45 @@ package application import ( "encoding/base64" "net/http" + "net/url" + "strings" "time" "github.com/gorilla/securecookie" + "goauthentik.io/api" "goauthentik.io/internal/outpost/proxyv2/constants" ) +const ( + redirectParam = "rd" +) + +func (a *Application) checkRedirectParam(r *http.Request) (string, bool) { + rd := r.Header.Get(redirectParam) + if rd == "" { + return "", false + } + u, err := url.Parse(rd) + if err != nil { + a.log.WithError(err).Warning("Failed to parse redirect URL") + return "", false + } + // Check to make sure we only redirect to allowed places + if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE { + if !strings.Contains(u.String(), a.ProxyConfig().ExternalHost) { + a.log.Warning("redirect URI did not contain external host") + return "", false + } + } else { + if !strings.HasSuffix(rd, *a.ProxyConfig().CookieDomain) { + return "", false + } + } + return u.String(), false +} + func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) { - newState := base64.RawStdEncoding.EncodeToString(securecookie.GenerateRandomKey(32)) + newState := base64.RawURLEncoding.EncodeToString(securecookie.GenerateRandomKey(32)) s, err := a.sessions.Get(r, constants.SeesionName) if err != nil { s.Values[constants.SessionOAuthState] = []string{} @@ -20,6 +51,11 @@ func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) { s.Values[constants.SessionOAuthState] = []string{} state = []string{} } + rd, ok := a.checkRedirectParam(r) + if ok { + s.Values[constants.SessionRedirect] = rd + a.log.WithField("rd", rd).Trace("Setting redirect") + } s.Values[constants.SessionOAuthState] = append(state, newState) err = s.Save(r, rw) if err != nil {