Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APP-6932 better local redirect validation #390

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

APP-6932 better local redirect validation #390

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a1c9620
better local redirect validation
DTCurrie Nov 12, 2024
957ca69
check http
DTCurrie Nov 12, 2024
8f2a6ea
cleanup
DTCurrie Nov 12, 2024
09c30e5
add comment
DTCurrie Nov 12, 2024
afc39f2
whitelist domains and restrict to https or local paths
DTCurrie Nov 14, 2024
c5c876d
lint
DTCurrie Nov 14, 2024
f90d2ee
cleanup comments
DTCurrie Nov 14, 2024
78b0c9d
cleanup comments
DTCurrie Nov 14, 2024
49b1ad4
only allow whitelisted fully-qualified https urls
DTCurrie Nov 14, 2024
b751982
rename file and function to be backto specific
DTCurrie Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions web/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,12 +528,7 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

if r.FormValue("backto") != "" {
backto := r.FormValue("backto")

// to prevent redirecting to an external URL we only set the session data when:
// 1. we fail to parse backto
// 2. backto does not include a hostname
parsed, err := url.ParseRequestURI(backto)
if err != nil || parsed.Hostname() == "" {
if IsValidBacktoURL(backto) {
session.Data["backto"] = backto
}
}
Expand Down
43 changes: 43 additions & 0 deletions web/backto.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
package web

import (
"net/url"
"strings"
)

var hostnameWhitelist = map[string]bool{
"localhost": true,
"viam.dev": true,
"viam.com": true,
Comment on lines +10 to +11
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should these be app.viam.dev and app.viam.com?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left them as this because we have toyed with allowing users to log in from the marketing page and docs, but maybe I am being a little too forward-thinking here 😃 .

Let's start stricter; I'll update it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gotcha! yeah i wasnt sure if it would pass the hostnameWhitelist[hostname] check for app.viam.com urls otherwise. could be misreading though

}

func isWhitelisted(hostname string) bool {
return hostnameWhitelist[hostname]
}

// IsValidBacktoURL returns true if the passed string is a secure URL to a whitelisted
// hostname. The whitelisted hostnames are: "localhost", "viam.dev", and "viam.com".
//
// - https://example.com -> false
// - http://viam.com/path/name -> false
// - https://viam.com/path/name -> true
func IsValidBacktoURL(path string) bool {
normalized := strings.ReplaceAll(path, "\\", "/")
url, err := url.ParseRequestURI(normalized)
if err != nil {
// ignore invalid URLs/URL components
return false
}

if url.Scheme != "" && url.Scheme != "https" {
// ignore non-secure URLs
return false
}

if isWhitelisted(url.Hostname()) {
// ignore non-whitelisted hosts
return true
}

return false
}
66 changes: 66 additions & 0 deletions web/backto_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
package web

import (
"testing"

"go.viam.com/test"
)

func TestIsValidBacktoURL(t *testing.T) {
t.Run("rejects external URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("https://example.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("http://example.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("ftp://example.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("://example.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//example.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("example.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("www.example.com"), test.ShouldBeFalse)
})

t.Run("rejects invalid production URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("http://viam.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("ftp://viam.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("://viam.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//viam.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//viam.com/some/path"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("viam.com"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("viam.com/some/path"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("www.viam.com"), test.ShouldBeFalse)
})

t.Run("accepts valid production URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("https://viam.com"), test.ShouldBeTrue)
test.That(t, IsValidBacktoURL("https://viam.com/some/path"), test.ShouldBeTrue)
})

t.Run("rejects invalid staging URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("http://viam.dev"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("ftp://viam.dev"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("://viam.dev"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//viam.dev"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//viam.dev/some/path"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("viam.dev"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("viam.dev/some/path"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("www.viam.dev"), test.ShouldBeFalse)
})

t.Run("accepts valid staging URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("https://viam.dev"), test.ShouldBeTrue)
test.That(t, IsValidBacktoURL("https://viam.dev/some/path"), test.ShouldBeTrue)
})

t.Run("rejects invalid local URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("http://localhost"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("ftp://localhost"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("://localhost"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//localhost"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("//localhost/some/path"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("localhost"), test.ShouldBeFalse)
test.That(t, IsValidBacktoURL("localhost/some/path"), test.ShouldBeFalse)
})

t.Run("accepts valid local URLs", func(t *testing.T) {
test.That(t, IsValidBacktoURL("https://localhost"), test.ShouldBeTrue)
test.That(t, IsValidBacktoURL("https://localhost/some/path"), test.ShouldBeTrue)
})
}
Loading