outposts/proxy: correctly check host in forward domain redirect

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
This commit is contained in:
Jens Langhammer 2022-02-15 14:58:19 +01:00
parent 0101368369
commit 5d8c1aa0b0
2 changed files with 22 additions and 2 deletions

View File

@ -29,11 +29,12 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
// Check to make sure we only redirect to allowed places // Check to make sure we only redirect to allowed places
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE { if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) { if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
a.log.Warning("redirect URI did not contain external host") a.log.WithField("url", u.String()).WithField("ext", a.proxyConfig.ExternalHost).Warning("redirect URI did not contain external host")
return "", false return "", false
} }
} else { } else {
if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) { if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
return "", false return "", false
} }
} }

View File

@ -5,6 +5,7 @@ import (
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"goauthentik.io/api"
) )
func TestCheckRedirectParam(t *testing.T) { func TestCheckRedirectParam(t *testing.T) {
@ -30,3 +31,21 @@ func TestCheckRedirectParam(t *testing.T) {
assert.Equal(t, true, ok) assert.Equal(t, true, ok)
assert.Equal(t, "https://ext.t.goauthentik.io/test", rd) assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
} }
func TestCheckRedirectParam_Domain(t *testing.T) {
a := newTestApplication()
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
a.proxyConfig.CookieDomain = api.PtrString("t.goauthentik.io")
req, _ := http.NewRequest("GET", "https://a.t.goauthentik.io/outpost.goauthentik.io/auth/start", nil)
rd, ok := a.checkRedirectParam(req)
assert.Equal(t, false, ok)
assert.Equal(t, "", rd)
req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test", nil)
rd, ok = a.checkRedirectParam(req)
assert.Equal(t, true, ok)
assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
}