NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit7b132e4

committed

Move redirect check into query parser

It will now be checked on the token side as well, although we do notactually use it there anyway. But this seems more right.The URL parser was added for this OAuth2 code so we can just rename it.

1 parent6e3940d commit7b132e4Copy full SHA for 7b132e4

File tree

3 files changed

+14

-27

lines changed

coderd/httpapi
- queryparams.go
enterprise/coderd/identityprovider
- authorize.go
- tokens.go

3 files changed

+14

-27

lines changed

`‎coderd/httpapi/queryparams.go`

Lines changed: 12 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -123,14 +123,24 @@ func (p *QueryParamParser) UUIDs(vals url.Values, def []uuid.UUID, queryParam st`
`123`	`123`	`})`
`124`	`124`	`}`
`125`	`125`
`126`		`-func (pQueryParamParser)URL(vals url.Values,defurl.URL,queryParamstring)*url.URL {`
`127`		`-v,err:=parseQueryParam(p,vals,url.Parse,def,queryParam)`
	`126`	`+func (pQueryParamParser)RedirectURL(vals url.Values,baseurl.URL,queryParamstring)*url.URL {`
	`127`	`+v,err:=parseQueryParam(p,vals,url.Parse,base,queryParam)`
`128`	`128`	`iferr!=nil {`
`129`	`129`	`p.Errors=append(p.Errors, codersdk.ValidationError{`
`130`	`130`	`Field:queryParam,`
`131`	`131`	`Detail:fmt.Sprintf("Query param %q must be a valid url: %s",queryParam,err.Error()),`
`132`	`132`	`})`
`133`	`133`	`}`
	`134`	`+`
	`135`	`+// It can be a sub-directory but not a sub-domain, as we have apps on`
	`136`	`+// sub-domains and that seems too dangerous.`
	`137`	`+ifv.Host!=base.Host\|\|!strings.HasPrefix(v.Path,base.Path) {`
	`138`	`+p.Errors=append(p.Errors, codersdk.ValidationError{`
	`139`	`+Field:queryParam,`
	`140`	`+Detail:fmt.Sprintf("Query param %q is invalid",queryParam),`
	`141`	`+})`
	`142`	`+}`
	`143`	`+`
`134`	`144`	`returnv`
`135`	`145`	`}`
`136`	`146`

`‎enterprise/coderd/identityprovider/authorize.go`

Lines changed: 1 addition & 24 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,10 +3,8 @@ package identityprovider`
`3`	`3`	`import (`
`4`	`4`	`"database/sql"`
`5`	`5`	`"errors"`
`6`		`-"fmt"`
`7`	`6`	`"net/http"`
`8`	`7`	`"net/url"`
`9`		`-"strings"`
`10`	`8`	`"time"`
`11`	`9`
`12`	`10`	`"github.com/google/uuid"`
`@@ -40,7 +38,7 @@ func extractAuthorizeParams(r *http.Request, callbackURL string) (authorizeParam`
`40`	`38`	`}`
`41`	`39`	`params:=authorizeParams{`
`42`	`40`	`clientID:p.String(vals,"","client_id"),`
`43`		`-redirectURL:p.URL(vals,cb,"redirect_uri"),`
	`41`	`+redirectURL:p.RedirectURL(vals,cb,"redirect_uri"),`
`44`	`42`	`responseType:httpapi.ParseCustom(p,vals,"","response_type",httpapi.ParseEnum[codersdk.OAuth2ProviderResponseType]),`
`45`	`43`	`scope:p.Strings(vals, []string{},"scope"),`
`46`	`44`	`state:p.String(vals,"","state"),`
`@@ -49,13 +47,6 @@ func extractAuthorizeParams(r *http.Request, callbackURL string) (authorizeParam`
`49`	`47`	`// We add "redirected" when coming from the authorize page.`
`50`	`48`	`_=p.String(vals,"","redirected")`
`51`	`49`
`52`		`-iferr:=validateRedirectURL(cb,params.redirectURL.String());err!=nil {`
`53`		`-p.Errors=append(p.Errors, codersdk.ValidationError{`
`54`		`-Field:"redirect_uri",`
`55`		`-Detail:fmt.Sprintf("Query param %q is invalid","redirect_uri"),`
`56`		`-})`
`57`		`-}`
`58`		`-`
`59`	`50`	`p.ErrorExcessParams(vals)`
`60`	`51`	`returnparams,p.Errors,nil`
`61`	`52`	`}`
`@@ -143,17 +134,3 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {`
`143`	`134`	`// Always wrap with its custom mw.`
`144`	`135`	`returnauthorizeMW(accessURL)(http.HandlerFunc(handler)).ServeHTTP`
`145`	`136`	`}`
`146`		`-`
`147`		`-// validateRedirectURL validates that the redirectURL is contained in baseURL.`
`148`		`-funcvalidateRedirectURL(baseURL*url.URL,redirectURLstring)error {`
`149`		`-redirect,err:=url.Parse(redirectURL)`
`150`		`-iferr!=nil {`
`151`		`-returnerr`
`152`		`-}`
`153`		`-// It can be a sub-directory but not a sub-domain, as we have apps on`
`154`		`-// sub-domains so it seems too dangerous.`
`155`		`-ifredirect.Host!=baseURL.Host\|\|!strings.HasPrefix(redirect.Path,baseURL.Path) {`
`156`		`-returnxerrors.New("invalid redirect URL")`
`157`		`-}`
`158`		`-returnnil`
`159`		`-}`

`‎enterprise/coderd/identityprovider/tokens.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func extractTokenParams(r *http.Request, callbackURL string) (tokenParams, []cod`
`52`	`52`	`clientID:p.String(vals,"","client_id"),`
`53`	`53`	`clientSecret:p.String(vals,"","client_secret"),`
`54`	`54`	`code:p.String(vals,"","code"),`
`55`		`-redirectURL:p.URL(vals,cb,"redirect_uri"),`
	`55`	`+redirectURL:p.RedirectURL(vals,cb,"redirect_uri"),`
`56`	`56`	`grantType:httpapi.ParseCustom(p,vals,"","grant_type",httpapi.ParseEnum[codersdk.OAuth2ProviderGrantType]),`
`57`	`57`	`}`
`58`	`58`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7b132e4

File tree

3 files changed

3 files changed

`‎coderd/httpapi/queryparams.go`

`‎enterprise/coderd/identityprovider/authorize.go`

`‎enterprise/coderd/identityprovider/tokens.go`

0 commit comments