outposts/proxy: fix logic error in rd argument
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #1997
This commit is contained in:
parent
4854f81592
commit
0101368369
|
@ -17,7 +17,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
|
func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
|
||||||
rd := r.Header.Get(redirectParam)
|
rd := r.URL.Query().Get(redirectParam)
|
||||||
if rd == "" {
|
if rd == "" {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
@ -28,16 +28,16 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
|
||||||
}
|
}
|
||||||
// Check to make sure we only redirect to allowed places
|
// Check to make sure we only redirect to allowed places
|
||||||
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
|
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
|
||||||
if !strings.Contains(u.String(), a.ProxyConfig().ExternalHost) {
|
if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
|
||||||
a.log.Warning("redirect URI did not contain external host")
|
a.log.Warning("redirect URI did not contain external host")
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if !strings.HasSuffix(rd, *a.ProxyConfig().CookieDomain) {
|
if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return u.String(), false
|
return u.String(), true
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
|
func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
|
32
internal/outpost/proxyv2/application/oauth_test.go
Normal file
32
internal/outpost/proxyv2/application/oauth_test.go
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
package application
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestCheckRedirectParam(t *testing.T) {
|
||||||
|
a := newTestApplication()
|
||||||
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start", nil)
|
||||||
|
|
||||||
|
rd, ok := a.checkRedirectParam(req)
|
||||||
|
|
||||||
|
assert.Equal(t, false, ok)
|
||||||
|
assert.Equal(t, "", rd)
|
||||||
|
|
||||||
|
req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)
|
||||||
|
|
||||||
|
rd, ok = a.checkRedirectParam(req)
|
||||||
|
|
||||||
|
assert.Equal(t, false, ok)
|
||||||
|
assert.Equal(t, "", rd)
|
||||||
|
|
||||||
|
req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test", nil)
|
||||||
|
|
||||||
|
rd, ok = a.checkRedirectParam(req)
|
||||||
|
|
||||||
|
assert.Equal(t, true, ok)
|
||||||
|
assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
|
||||||
|
}
|
|
@ -15,6 +15,7 @@ func newTestApplication() *Application {
|
||||||
ClientId: api.PtrString(ak.TestSecret()),
|
ClientId: api.PtrString(ak.TestSecret()),
|
||||||
ClientSecret: api.PtrString(ak.TestSecret()),
|
ClientSecret: api.PtrString(ak.TestSecret()),
|
||||||
CookieSecret: api.PtrString(ak.TestSecret()),
|
CookieSecret: api.PtrString(ak.TestSecret()),
|
||||||
|
ExternalHost: "https://ext.t.goauthentik.io",
|
||||||
CookieDomain: api.PtrString(""),
|
CookieDomain: api.PtrString(""),
|
||||||
Mode: api.PROXYMODE_FORWARD_SINGLE.Ptr(),
|
Mode: api.PROXYMODE_FORWARD_SINGLE.Ptr(),
|
||||||
SkipPathRegex: api.PtrString("/skip.*"),
|
SkipPathRegex: api.PtrString("/skip.*"),
|
||||||
|
|
Reference in a new issue