From 2839a5fbfbd731977156d8d0a3c42bd08c61ec8a Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 29 Sep 2017 16:55:50 +0100 Subject: [PATCH] Add whitelist domains flag --- main.go | 2 ++ oauthproxy.go | 33 +++++++++++++++++++++++++++++++-- options.go | 1 + 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index b9d9c96c1..ac13120e9 100644 --- a/main.go +++ b/main.go @@ -18,6 +18,7 @@ func main() { flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError) emailDomains := StringArray{} + whitelistDomains := StringArray{} upstreams := StringArray{} skipAuthRegex := StringArray{} googleGroups := StringArray{} @@ -43,6 +44,7 @@ func main() { flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS") flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email") + flagSet.Var(&whitelistDomains, "whitelist-domains", "allowed domains for redirection after authentication") flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.") flagSet.String("github-org", "", "restrict logins to members of this organisation") flagSet.String("github-team", "", "restrict logins to members of this team") diff --git a/oauthproxy.go b/oauthproxy.go index 91608acc3..6332a4123 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -54,6 +54,7 @@ type OAuthProxy struct { AuthOnlyPath string redirectURL *url.URL // the url to receive requests at + whitelistDomains []string provider providers.Provider ProxyPrefix string SignInMessage string @@ -198,6 +199,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { provider: opts.provider, serveMux: serveMux, redirectURL: redirectURL, + whitelistDomains: opts.WhitelistDomains, skipAuthRegex: opts.SkipAuthRegex, skipAuthPreflight: opts.SkipAuthPreflight, compiledRegex: opts.CompiledRegex, @@ -416,13 +418,40 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error) } redirect = req.Form.Get("rd") - if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") { + if !p.IsValidRedirect(redirect) { redirect = "/" } return } +func (p *OAuthProxy) IsValidRedirect(redirect string) bool { + switch { + case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): + return true + case strings.HasPrefix(redirect, "http://"): + redirect = strings.TrimPrefix(redirect, "http://") + redirect = strings.Split(redirect, "/")[0] + for _, domain := range p.whitelistDomains { + if strings.HasSuffix(redirect, domain) { + return true + } + } + return false + case strings.HasPrefix(redirect, "https://"): + redirect = strings.TrimPrefix(redirect, "https://") + redirect = strings.Split(redirect, "/")[0] + for _, domain := range p.whitelistDomains { + if strings.HasSuffix(redirect, domain) { + return true + } + } + return false + default: + return false + } +} + func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) (ok bool) { isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS" return isPreflightRequestAllowed || p.IsWhitelistedPath(req.URL.Path) @@ -552,7 +581,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) { return } - if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") { + if !p.IsValidRedirect(redirect) { redirect = "/" } diff --git a/options.go b/options.go index d884f28b7..8593d2a5f 100644 --- a/options.go +++ b/options.go @@ -32,6 +32,7 @@ type Options struct { AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"` EmailDomains []string `flag:"email-domain" cfg:"email_domains"` + WhitelistDomains []string `flag:"whitelist-domains" cfg:"whitelist_domains"` GitHubOrg string `flag:"github-org" cfg:"github_org"` GitHubTeam string `flag:"github-team" cfg:"github_team"` GoogleGroups []string `flag:"google-group" cfg:"google_group"`