Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guard against open redirect URL parameters in login #4763

Merged
merged 7 commits into from
Jan 23, 2024
Merged

Guard against open redirect URL parameters in login #4763

merged 7 commits into from
Jan 23, 2024

Conversation

katrogan
Copy link
Contributor

@katrogan katrogan commented Jan 23, 2024
edited
Loading

Why are the changes needed?

Best practices recommend for not allowing open redirect URIs upon log-in, see https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being

What changes were proposed in this pull request?

This change uses flyteadmin's configured authorized URIs (for which flyteadmin is exposed and accessible) to validate redirect URIs

How was this patch tested?

Tested on a local deployment. Tried with /login?redirect_url=http://www.google.com which now fails and with a valid redirect to <flyteadmin>/console which succeeded.

Setup process

Screenshots

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

Docs link

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. security Issues related to Security improvements labels Jan 23, 2024
@katrogan
log
84260b2 
Signed-off-by: Katrina Rogan <[email protected]>
@katrogan
fix
384a665 
Signed-off-by: Katrina Rogan <[email protected]>
@katrogan
better
f0bff26 
Signed-off-by: Katrina Rogan <[email protected]>
wild-endeavor
wild-endeavor previously approved these changes Jan 23, 2024
View reviewed changes
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jan 23, 2024
@katrogan
logging
6f7b98f 
Signed-off-by: Katrina Rogan <[email protected]>
wild-endeavor
wild-endeavor previously approved these changes Jan 23, 2024
View reviewed changes
@katrogan
logging
2a82cc1 
Signed-off-by: Katrina Rogan <[email protected]>
wild-endeavor
wild-endeavor previously approved these changes Jan 23, 2024
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Jan 23, 2024
edited
Loading

Codecov Report

Attention: 9 lines in your changes are missing coverage. Please review.

Comparison is base (ca73251) 58.18% compared to head (dd5e6fa) 58.17%.
Report is 1 commits behind head on master.

Files Patch % Lines
flyteadmin/auth/handlers.go 0.00% 4 Missing and 1 partial ⚠️
flyteadmin/auth/handler_utils.go 83.33% 3 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4763      +/-   ##
==========================================
- Coverage   58.18%   58.17%   -0.01%     
==========================================
  Files         626      626              
  Lines       53833    53862      +29     
==========================================
+ Hits        31322    31336      +14     
- Misses      20003    20016      +13     
- Partials     2508     2510       +2
Flag Coverage Δ
unittests 58.17% <68.96%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

pmahindrakar-oss
pmahindrakar-oss previously approved these changes Jan 23, 2024
View reviewed changes
flyteadmin/auth/handler_utils.go Outdated
return url.Hostname() == authorizedURL.Hostname() && url.Port() == authorizedURL.Port() && url.Scheme == authorizedURL.Scheme
}

func GetRedirectURLAllowed(ctx context.Context, redirectParam string, cfg *config.Config) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: urlRedirectParam

flyteadmin/auth/handlers.go
@@ -141,6 +141,11 @@ func GetLoginHandler(ctx context.Context, authCtx interfaces.AuthenticationConte
logger.Debugf(ctx, "Setting CSRF state cookie to %s and state to %s\n", csrfToken, state)
url := authCtx.OAuth2ClientConfig(GetPublicURL(ctx, request, authCtx.Options())).AuthCodeURL(state)
queryParams := request.URL.Query()
if !GetRedirectURLAllowed(ctx, queryParams.Get(RedirectURLParameter), authCtx.Options()) {
logger.Infof(ctx, "unauthorized redirect URI")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info only

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is info!

@katrogan
review comments
dd5e6fa 
Signed-off-by: Katrina Rogan <[email protected]>
@katrogan katrogan merged commit b8751ee into master Jan 23, 2024
44 of 45 checks passed
@katrogan katrogan deleted the login-redirect-uri branch January 23, 2024 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmahindrakar-oss pmahindrakar-oss pmahindrakar-oss approved these changes

@wild-endeavor wild-endeavor wild-endeavor left review comments

Assignees
No one assigned
Labels
lgtm This PR has been approved by a maintainer security Issues related to Security improvements size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@katrogan @wild-endeavor @pmahindrakar-oss