Skip to content

Subdomain checking of whitelisted domains could allow unintended redirects in oauth2-proxy

Low severity GitHub Reviewed Published Feb 1, 2021 in oauth2-proxy/oauth2-proxy • Updated Jan 9, 2023

Package

gomod github.com/oauth2-proxy/oauth2-proxy (Go)

Affected versions

<= 3.2.0

Patched versions

None
gomod github.com/oauth2-proxy/oauth2-proxy/v7 (Go)
< 7.0.0
7.0.0

Description

Impact

What kind of vulnerability is it? Who is impacted?
For users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

For example, if a whitelist domain was configured for .example.com, the intention is that subdomains of example.com are allowed.
Instead, example.com and badexample.com could also match.

Patches

Has the problem been patched? What versions should users upgrade to?
This is fixed in version 7.0.0 onwards.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.

Original Issue Posted by @semoac:

Whitelist Domain feature is not working as expected because is not matching a dot to ensure the redirect is a subdomain.

Expected Behavior

If whitelist domain is set to .example.com , then hack.alienexample.com should be rejected as a valid redirect.

Current Behavior

The code is removing the dot from .example.com and only checking if the redirect string end with example.com

Possible Solution

Here
https://github.com/oauth2-proxy/oauth2-proxy/blob/c377466411f2aee180a732187edb638f2f7e57fb/oauthproxy.go#L661

Include the dot when checking the string:

strings.HasSuffix(redirectHostname, "." + domainHostname)

Steps to Reproduce (for bugs)

package main

import (
	"fmt"
	"strings"
)

func validOptionalPort(port string) bool {
	if port == "" || port == ":*" {
		return true
	}
	if port[0] != ':' {
		return false
	}
	for _, b := range port[1:] {
		if b < '0' || b > '9' {
			return false
		}
	}
	return true
}

func splitHostPort(hostport string) (host, port string) {
	host = hostport

	colon := strings.LastIndexByte(host, ':')
	if colon != -1 && validOptionalPort(host[colon:]) {
		host, port = host[:colon], host[colon+1:]
	}

	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
		host = host[1 : len(host)-1]
	}

	return
}

func main() {
	domain := ".example.com"
	domainHostname, _ := splitHostPort(strings.TrimLeft(domain, "."))
	redirectHostname := "https://hack.alienexample.com"
	if (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) { fmt.Println("This should not have happen.")}
}

Users of github.com/oauth2-proxy/oauth2-proxy are advised to update to github.com/oauth2-proxy/oauth2-proxy/v7

References

@JoelSpeed JoelSpeed published to oauth2-proxy/oauth2-proxy Feb 1, 2021
Reviewed May 21, 2021
Published to the GitHub Advisory Database May 25, 2021
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.161%
(53rd percentile)

Weaknesses

CVE ID

CVE-2021-21291

GHSA ID

GHSA-4mf2-f3wh-gvf2

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.