Skip to content

Commit

Permalink
fix: use stdlib to check loopback address (#795)
Browse files Browse the repository at this point in the history
  • Loading branch information
mitar authored Feb 15, 2024
1 parent c5e0ca3 commit 1f27af4
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 16 deletions.
17 changes: 6 additions & 11 deletions authorize_helper.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ import (
"fmt"
"html/template"
"io"
"net"
"net/url"
"regexp"
"strings"

"github.com/ory/x/errorsx"
Expand Down Expand Up @@ -130,7 +130,7 @@ func isMatchingAsLoopback(requested *url.URL, registeredURI string) bool {
//
// Source: https://tools.ietf.org/html/rfc8252#section-7.3
if requested.Scheme == "http" &&
isLoopbackAddress(requested.Host) &&
isLoopbackAddress(requested.Hostname()) &&
registered.Hostname() == requested.Hostname() &&
// The port is skipped here - see codedoc above!
registered.Path == requested.Path &&
Expand All @@ -141,14 +141,9 @@ func isMatchingAsLoopback(requested *url.URL, registeredURI string) bool {
return false
}

var (
regexLoopbackAddress = regexp.MustCompile(`^(127\.0\.0\.1|\[::1])(:\d+)?$`)
)

// Check if address is either an IPv4 loopback or an IPv6 loopback-
// An optional port is ignored
func isLoopbackAddress(address string) bool {
return regexLoopbackAddress.MatchString(address)
// Check if address is either an IPv4 loopback or an IPv6 loopback.
func isLoopbackAddress(hostname string) bool {
return net.ParseIP(hostname).IsLoopback()
}

// IsValidRedirectURI validates a redirect_uri as specified in:
Expand Down Expand Up @@ -186,7 +181,7 @@ func IsRedirectURISecureStrict(ctx context.Context, redirectURI *url.URL) bool {

func IsLocalhost(redirectURI *url.URL) bool {
hn := redirectURI.Hostname()
return strings.HasSuffix(hn, ".localhost") || hn == "127.0.0.1" || hn == "::1" || hn == "localhost"
return strings.HasSuffix(hn, ".localhost") || isLoopbackAddress(hn) || hn == "localhost"
}

func WriteAuthorizeFormPostResponse(redirectURL string, parameters url.Values, template *template.Template, rw io.Writer) {
Expand Down
23 changes: 18 additions & 5 deletions authorize_helper_whitebox_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package fosite

import (
"net/url"
"testing"

"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -34,14 +35,25 @@ func TestIsLookbackAddress(t *testing.T) {
"ShouldReturnTrueIPv6LoopbackWithPort",
"[::1]:1230",
true,
}, {
"ShouldReturnFalse12700255",
},
{
"ShouldReturnTrue12700255",
"127.0.0.255",
false,
true,
},
{
"ShouldReturnFalse12700255WithPort",
"ShouldReturnTrue12700255WithPort",
"127.0.0.255:1230",
true,
},
{
"ShouldReturnFalse128001",
"128.0.0.1",
false,
},
{
"ShouldReturnFalse128001WithPort",
"128.0.0.1:1230",
false,
},
{
Expand All @@ -63,7 +75,8 @@ func TestIsLookbackAddress(t *testing.T) {

for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
assert.Equal(t, tc.expected, isLoopbackAddress(tc.have))
u := url.URL{Host: tc.have}
assert.Equal(t, tc.expected, isLoopbackAddress(u.Hostname()))
})
}
}

0 comments on commit 1f27af4

Please sign in to comment.