GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
The highest tagged major version isv2.
gitauth
packageThis package is not in the latest version of its module.
Details
Validgo.mod file
The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
- Redistributable license
Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
- Tagged version
Modules with tagged versions give importers more predictable builds.
Stable versionWhen a project reaches major version v1 it is considered stable.
- Learn more about best practices
Repository
Links
Open Source Insights
Documentation¶
Index¶
- func CheckCommand(args, env []string) bool
- func OverrideVSCodeConfigs(fs afero.Fs) error
- func ParseAskpass(prompt string) (user string, host string, err error)
- type AppInstallation
- type Config
- func (c *Config) AppInstallations(ctx context.Context, token string) ([]codersdk.GitAuthAppInstallation, bool, error)
- func (c *Config) RefreshToken(ctx context.Context, db database.Store, gitAuthLink database.GitAuthLink) (database.GitAuthLink, bool, error)
- func (c *Config) ValidateToken(ctx context.Context, token string) (bool, *codersdk.GitAuthUser, error)
- type DeviceAuth
- type ExchangeDeviceCodeResponse
- type OAuth2Config
Constants¶
This section is empty.
Variables¶
This section is empty.
Functions¶
funcCheckCommand¶
CheckCommand returns true if the command arguments and environmentmatch those when the GIT_ASKPASS command is invoked by git.
funcOverrideVSCodeConfigs¶
OverrideVSCodeConfigs overwrites a few properties to consumeGIT_ASKPASS from the host instead of VS Code-specific authentication.
funcParseAskpass¶
ParseAskpass returns the user and host from a git askpass prompt. Forexample: "user1" and "https://github.com". Note that for HTTPprotocols, the URL will never contain a path.
For details on how the prompt is formatted, see `credential_ask_one`:https://github.com/git/git/blob/bbe21b64a08f89475d8a3818e20c111378daa621/credential.c#L173-L191
Types¶
typeAppInstallation¶added inv0.25.0
typeConfig¶
type Config struct {OAuth2Config// ID is a unique identifier for the authenticator.IDstring// Regex is a regexp that URLs will match against.Regex *regexp.Regexp// Type is the type of provider.Typecodersdk.GitProvider// NoRefresh stops Coder from using the refresh token// to renew the access token.//// Some organizations have security policies that require// re-authentication for every token.NoRefreshbool// ValidateURL ensures an access token is valid before// returning it to the user. If omitted, tokens will// not be validated before being returned.ValidateURLstring// AppInstallURL is for GitHub App's (and hopefully others eventually)// to provide a link to install the app. There's installation// of the application, and user authentication. It's possible// for the user to authenticate but the application to not.AppInstallURLstring// InstallationsURL is an API endpoint that returns a list of// installations for the user. This is used for GitHub Apps.AppInstallationsURLstring// DeviceAuth is set if the provider uses the device flow.DeviceAuth *DeviceAuth}Config is used for authentication for Git operations.
funcConvertConfig¶
ConvertConfig converts the SDK configuration entry formatto the parsed and ready-to-consume in coderd provider type.
func (*Config)AppInstallations¶added inv0.25.0
func (c *Config) AppInstallations(ctxcontext.Context, tokenstring) ([]codersdk.GitAuthAppInstallation,bool,error)
AppInstallations returns a list of app installations for the given token.If the provider does not support app installations, it returns nil.
func (*Config)RefreshToken¶added inv0.20.1
func (c *Config) RefreshToken(ctxcontext.Context, dbdatabase.Store, gitAuthLinkdatabase.GitAuthLink) (database.GitAuthLink,bool,error)
RefreshToken automatically refreshes the token if expired and permitted.It returns the token and a bool indicating if the token was refreshed.
func (*Config)ValidateToken¶added inv0.20.1
ValidateToken ensures the Git token provided is valid!The user is optionally returned if the provider supports it.
typeDeviceAuth¶added inv0.25.0
func (*DeviceAuth)AuthorizeDevice¶added inv0.25.0
func (c *DeviceAuth) AuthorizeDevice(ctxcontext.Context) (*codersdk.GitAuthDevice,error)
AuthorizeDevice begins the device authorization flow.See:https://tools.ietf.org/html/rfc8628#section-3.1
func (*DeviceAuth)ExchangeDeviceCode¶added inv0.25.0
ExchangeDeviceCode exchanges a device code for an access token.The boolean returned indicates whether the device code is still pendingand the caller should try again.
Source Files