go-pkgz / auth / 25592713665
85%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 25
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.904% (+0.4%) from 84.468%
25592713665

push

github

umputun 
fix(provider): backport "from" redirect validator to v1 (sibling of #275)

The "from" query parameter accepted by oauth1/oauth2/apple/verify login
handlers was stored verbatim in the handshake JWT and used as the
redirect target after a successful auth handshake with no validation.
Any external URL passed as "from" became a 307 redirect after the user
completed the real OAuth flow with the legitimate provider — usable for
phishing and post-auth landing-page substitution.

This is the same vulnerability fixed in v2 by #275; v1 was untouched.
This PR ports the validator to v1 with the same opt-in policy:

* token.AllowedHosts (interface) + AllowedHostsFunc (adapter), mirroring
  the existing token.Audience pattern.
* Opts.AllowedRedirectHosts threaded through provider.Params,
  AppleHandler (via embedded Params) and VerifyHandler (own URL +
  AllowedRedirectHosts fields).
* provider.isAllowedRedirect centralises the check; all four redirect
  call sites (oauth1.go:165, oauth2.go:241, apple.go:395, verify.go:141)
  gate on it and fall back to the existing JSON user-info response on
  rejection (with a [WARN] log via redirectHostForLog so attacker-
  supplied paths/queries do not leak into logs).

Default (nil allowlist) is permissive — preserves pre-feature behaviour
so existing consumers see no change. Hardening is enabled by setting
Opts.AllowedRedirectHosts; passing an AllowedHostsFunc that returns nil
restricts redirects to the service URL host only. Hostname comparison
is case-insensitive and ignores the default port; non-http(s) schemes
(javascript:, data:, ftp:) are rejected.

Tests:
* TestIsAllowedRedirect — 24 table cases covering permissive default,
  typed-nil guard, port equivalence, case-insensitivity, scheme
  rejection, allowlist matching.
* TestRedirectHostForLog — 5 cases.
* TestOauth2LoginFromRejectsExternalHost / TestOauth2LoginFromAllowsAllowlistedHost
  — integration coverage of the oauth2 path (negative + positive).
* TestVerifyHand... (continued)

7 of 7 new or added lines in 1 file covered. (100.0%)

2829 of 3332 relevant lines covered (84.9%)

7.86 hits per line

Jobs
ID Job ID Ran Files Coverage
1 25592713665.1 25
84.9
 GitHub Action Run
Source Files on build 25592713665