outposts/proxy: fix logic error in rd argument

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
This commit is contained in:
Jens Langhammer 2022-02-15 13:43:55 +01:00
parent 4854f81592
commit 0101368369
3 changed files with 37 additions and 4 deletions

View file

@ -17,7 +17,7 @@ const (
) )
func (a *Application) checkRedirectParam(r *http.Request) (string, bool) { func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
rd := r.Header.Get(redirectParam) rd := r.URL.Query().Get(redirectParam)
if rd == "" { if rd == "" {
return "", false return "", false
} }
@ -28,16 +28,16 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
} }
// Check to make sure we only redirect to allowed places // Check to make sure we only redirect to allowed places
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE { if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
if !strings.Contains(u.String(), a.ProxyConfig().ExternalHost) { if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
a.log.Warning("redirect URI did not contain external host") a.log.Warning("redirect URI did not contain external host")
return "", false return "", false
} }
} else { } else {
if !strings.HasSuffix(rd, *a.ProxyConfig().CookieDomain) { if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) {
return "", false return "", false
} }
} }
return u.String(), false return u.String(), true
} }
func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) { func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {

View file

@ -0,0 +1,32 @@
package application
import (
"net/http"
"testing"
"github.com/stretchr/testify/assert"
)
func TestCheckRedirectParam(t *testing.T) {
a := newTestApplication()
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start", nil)
rd, ok := a.checkRedirectParam(req)
assert.Equal(t, false, ok)
assert.Equal(t, "", rd)
req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)
rd, ok = a.checkRedirectParam(req)
assert.Equal(t, false, ok)
assert.Equal(t, "", rd)
req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test", nil)
rd, ok = a.checkRedirectParam(req)
assert.Equal(t, true, ok)
assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
}

View file

@ -15,6 +15,7 @@ func newTestApplication() *Application {
ClientId: api.PtrString(ak.TestSecret()), ClientId: api.PtrString(ak.TestSecret()),
ClientSecret: api.PtrString(ak.TestSecret()), ClientSecret: api.PtrString(ak.TestSecret()),
CookieSecret: api.PtrString(ak.TestSecret()), CookieSecret: api.PtrString(ak.TestSecret()),
ExternalHost: "https://ext.t.goauthentik.io",
CookieDomain: api.PtrString(""), CookieDomain: api.PtrString(""),
Mode: api.PROXYMODE_FORWARD_SINGLE.Ptr(), Mode: api.PROXYMODE_FORWARD_SINGLE.Ptr(),
SkipPathRegex: api.PtrString("/skip.*"), SkipPathRegex: api.PtrString("/skip.*"),