mirror of https://github.com/coder/coder.git
Merge pull request from GHSA-7cc2-r658-7xpf
This fixes a vulnerability with the `CODER_OIDC_EMAIL_DOMAIN` option, where users with a superset of the allowed email domain would be allowed to login. For example, given `CODER_OIDC_EMAIL_DOMAIN=google.com`, a user would be permitted entry if their email domain was `colin-google.com`.
This commit is contained in:
parent
8f190b2016
commit
4439a920e4
|
@ -929,15 +929,23 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
if len(api.OIDCConfig.EmailDomain) > 0 {
|
if len(api.OIDCConfig.EmailDomain) > 0 {
|
||||||
ok = false
|
ok = false
|
||||||
|
emailSp := strings.Split(email, "@")
|
||||||
|
if len(emailSp) == 1 {
|
||||||
|
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
|
||||||
|
Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
userEmailDomain := emailSp[len(emailSp)-1]
|
||||||
for _, domain := range api.OIDCConfig.EmailDomain {
|
for _, domain := range api.OIDCConfig.EmailDomain {
|
||||||
if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) {
|
if strings.EqualFold(userEmailDomain, domain) {
|
||||||
ok = true
|
ok = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if !ok {
|
if !ok {
|
||||||
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
|
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
|
||||||
Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain),
|
Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -798,6 +798,17 @@ func TestUserOIDC(t *testing.T) {
|
||||||
"kwc.io",
|
"kwc.io",
|
||||||
},
|
},
|
||||||
StatusCode: http.StatusOK,
|
StatusCode: http.StatusOK,
|
||||||
|
}, {
|
||||||
|
Name: "EmailDomainSubset",
|
||||||
|
IDTokenClaims: jwt.MapClaims{
|
||||||
|
"email": "colin@gmail.com",
|
||||||
|
"email_verified": true,
|
||||||
|
},
|
||||||
|
AllowSignups: true,
|
||||||
|
EmailDomain: []string{
|
||||||
|
"mail.com",
|
||||||
|
},
|
||||||
|
StatusCode: http.StatusForbidden,
|
||||||
}, {
|
}, {
|
||||||
Name: "EmptyClaims",
|
Name: "EmptyClaims",
|
||||||
IDTokenClaims: jwt.MapClaims{},
|
IDTokenClaims: jwt.MapClaims{},
|
||||||
|
|
Loading…
Reference in New Issue