mirror of https://github.com/coder/coder.git
Merge pull request from GHSA-7cc2-r658-7xpf
This fixes a vulnerability with the `CODER_OIDC_EMAIL_DOMAIN` option, where users with a superset of the allowed email domain would be allowed to login. For example, given `CODER_OIDC_EMAIL_DOMAIN=google.com`, a user would be permitted entry if their email domain was `colin-google.com`.
This commit is contained in:
parent
8f190b2016
commit
4439a920e4
|
@ -929,15 +929,23 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
|
|||
|
||||
if len(api.OIDCConfig.EmailDomain) > 0 {
|
||||
ok = false
|
||||
emailSp := strings.Split(email, "@")
|
||||
if len(emailSp) == 1 {
|
||||
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
|
||||
Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
|
||||
})
|
||||
return
|
||||
}
|
||||
userEmailDomain := emailSp[len(emailSp)-1]
|
||||
for _, domain := range api.OIDCConfig.EmailDomain {
|
||||
if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) {
|
||||
if strings.EqualFold(userEmailDomain, domain) {
|
||||
ok = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !ok {
|
||||
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
|
||||
Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain),
|
||||
Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
|
||||
})
|
||||
return
|
||||
}
|
||||
|
|
|
@ -798,6 +798,17 @@ func TestUserOIDC(t *testing.T) {
|
|||
"kwc.io",
|
||||
},
|
||||
StatusCode: http.StatusOK,
|
||||
}, {
|
||||
Name: "EmailDomainSubset",
|
||||
IDTokenClaims: jwt.MapClaims{
|
||||
"email": "colin@gmail.com",
|
||||
"email_verified": true,
|
||||
},
|
||||
AllowSignups: true,
|
||||
EmailDomain: []string{
|
||||
"mail.com",
|
||||
},
|
||||
StatusCode: http.StatusForbidden,
|
||||
}, {
|
||||
Name: "EmptyClaims",
|
||||
IDTokenClaims: jwt.MapClaims{},
|
||||
|
|
Loading…
Reference in New Issue