fix: Don't allow arbitrary redirects at login#4780
Merged
jannfis merged 4 commits intoargoproj:masterfrom Nov 16, 2020
Merged
Conversation
Signed-off-by: jannfis <jann@mistrust.net>
Signed-off-by: jannfis <jann@mistrust.net>
jannfis
commented
Nov 6, 2020
| returnURL := r.FormValue("return_url") | ||
| // Check if return_url is valid, otherwise abort processing (see #2707) | ||
| if !isValidRedirectURL(returnURL, []string{a.settings.URL}) { | ||
| http.Error(w, "Invalid return_url", http.StatusBadRequest) |
Member
Author
There was a problem hiding this comment.
I was unsure what HTTP response code to chose. I picked HTTP 400 Bad Request, because that's what we basically considered it to be
Codecov Report
@@ Coverage Diff @@
## master #4780 +/- ##
==========================================
+ Coverage 41.19% 41.22% +0.03%
==========================================
Files 127 127
Lines 17667 17688 +21
==========================================
+ Hits 7278 7292 +14
- Misses 9349 9354 +5
- Partials 1040 1042 +2
Continue to review full report at Codecov.
|
Signed-off-by: jannfis <jann@mistrust.net>
Signed-off-by: jannfis <jann@mistrust.net>
alexmt
approved these changes
Nov 16, 2020
13 tasks
tjamet
added a commit
to tjamet/argo-cd
that referenced
this pull request
Jul 6, 2023
With argoproj#4780, were introduced security measures to ensure the `return_url` is pointing to the current ArgoCD instance. In several occasions, an ArgoCD isntance could be exposed through multiple network connections. Internal addresses and restricted public addresses. Currently, a single base URL can be configured in the the argocd configmap, preventing from exposing ArgoCD on several access paths. This change allows to define multiple hosts on which ArgoCD can be exposed, keeping backward compatibility by adding a field `additionalUrls` accepting a list of additional URLS on which argoCD can be exposed Fixes argoproj#5388 Signed-off-by: Thibault Jamet <tjamet@users.noreply.github.com>
tjamet
added a commit
to tjamet/argo-cd
that referenced
this pull request
Aug 22, 2023
With argoproj#4780, were introduced security measures to ensure the `return_url` is pointing to the current ArgoCD instance. In several occasions, an ArgoCD isntance could be exposed through multiple network connections. Internal addresses and restricted public addresses. Currently, a single base URL can be configured in the the argocd configmap, preventing from exposing ArgoCD on several access paths. This change allows to define multiple hosts on which ArgoCD can be exposed, keeping backward compatibility by adding a field `additionalUrls` accepting a list of additional URLS on which argoCD can be exposed Fixes argoproj#5388 Signed-off-by: Thibault Jamet <tjamet@users.noreply.github.com>
tjamet
added a commit
to tjamet/argo-cd
that referenced
this pull request
Sep 8, 2023
With argoproj#4780, were introduced security measures to ensure the `return_url` is pointing to the current ArgoCD instance. In several occasions, an ArgoCD isntance could be exposed through multiple network connections. Internal addresses and restricted public addresses. Currently, a single base URL can be configured in the the argocd configmap, preventing from exposing ArgoCD on several access paths. This change allows to define multiple hosts on which ArgoCD can be exposed, keeping backward compatibility by adding a field `additionalUrls` accepting a list of additional URLS on which argoCD can be exposed Fixes argoproj#5388 Signed-off-by: Thibault Jamet <tjamet@users.noreply.github.com>
14 tasks
This was referenced Nov 19, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2707
Check for validity of
return_urlquery parameter at OIDC auth in/auth/login.This change ensures that
return_urlis pointing to the URL given in theurl(settings.URL) configuration, or to a path within that URL. For example, ifurlishttps://localhost:4000/argocd, then the following values forreturn_urlwill be valid:https://localhost:4000/argocdhttps://localhost:4000/argocd/applicationswhile the following URLs will not be considered valid and HTTP request is canceled:
https://localhost:4000/applicationshttps://localhost:4000/argocd/../some/other/apphttps://www.google.comRefer to https://cwe.mitre.org/data/definitions/601.html and https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html for more details.
Signed-off-by: jannfis jann@mistrust.net
Checklist: