NotificationsYou must be signed in to change notification settings
Fork925
Star10.1k

Commit4439a92

authored

Merge pull request fromGHSA-7cc2-r658-7xpf

This fixes a vulnerability with the `CODER_OIDC_EMAIL_DOMAIN` option,where users with a superset of the allowed email domain would be allowedto login. For example, given `CODER_OIDC_EMAIL_DOMAIN=google.com`, auser would be permitted entry if their email domain was`colin-google.com`.

1 parent8f190b2 commit4439a92Copy full SHA for 4439a92

File tree

2 files changed

+21

-2

lines changed

coderd
- userauth.go
- userauth_test.go

2 files changed

+21

-2

lines changed

`‎coderd/userauth.go`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -929,15 +929,23 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`929`	`929`
`930`	`930`	`iflen(api.OIDCConfig.EmailDomain)>0 {`
`931`	`931`	`ok=false`
	`932`	`+emailSp:=strings.Split(email,"@")`
	`933`	`+iflen(emailSp)==1 {`
	`934`	`+httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
	`935`	`+Message:fmt.Sprintf("Your email %q is not in domains %q!",email,api.OIDCConfig.EmailDomain),`
	`936`	`+})`
	`937`	`+return`
	`938`	`+}`
	`939`	`+userEmailDomain:=emailSp[len(emailSp)-1]`
`932`	`940`	`for_,domain:=rangeapi.OIDCConfig.EmailDomain {`
`933`		`-ifstrings.HasSuffix(strings.ToLower(email),strings.ToLower(domain)) {`
	`941`	`+ifstrings.EqualFold(userEmailDomain,domain) {`
`934`	`942`	`ok=true`
`935`	`943`	`break`
`936`	`944`	`}`
`937`	`945`	`}`
`938`	`946`	`if!ok {`
`939`	`947`	`httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
`940`		`-Message:fmt.Sprintf("Your email %q is not in domains %q!",email,api.OIDCConfig.EmailDomain),`
	`948`	`+Message:fmt.Sprintf("Your email %q is not in domains %q!",email,api.OIDCConfig.EmailDomain),`
`941`	`949`	`})`
`942`	`950`	`return`
`943`	`951`	`}`

`‎coderd/userauth_test.go`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -798,6 +798,17 @@ func TestUserOIDC(t *testing.T) {`
`798`	`798`	`"kwc.io",`
`799`	`799`	`},`
`800`	`800`	`StatusCode:http.StatusOK,`
	`801`	`+}, {`
	`802`	`+Name:"EmailDomainSubset",`
	`803`	`+IDTokenClaims: jwt.MapClaims{`
	`804`	`+"email":"colin@gmail.com",`
	`805`	`+"email_verified":true,`
	`806`	`+},`
	`807`	`+AllowSignups:true,`
	`808`	`+EmailDomain: []string{`
	`809`	`+"mail.com",`
	`810`	`+},`
	`811`	`+StatusCode:http.StatusForbidden,`
`801`	`812`	`}, {`
`802`	`813`	`Name:"EmptyClaims",`
`803`	`814`	`IDTokenClaims: jwt.MapClaims{},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4439a92

File tree

2 files changed

2 files changed

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

0 commit comments