Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[server/auth] ensure safe returnTo param #2879

Merged
merged 1 commit into from
Jan 13, 2021
Merged

[server/auth] ensure safe returnTo param #2879

merged 1 commit into from
Jan 13, 2021

Conversation

AlexTugarev
Copy link
Member

@AlexTugarev AlexTugarev commented Jan 13, 2021

This PR closes an open redirect issue. AFAIK this is problem if an attacker would fake a Gitpod-like website and make people use links with redirects to it. The fake website could potentially ask user to enter sensitive information.

Allowing for Gitpod homepage URLs comes in parallel via #2692. ✔️

how to test

  1. log in & log out without errors.
  2. should login and start a workspace: http://at-returnto.staging.gitpod-dev.com/api/#?host=github.com&returnTo=http://at-returnto.staging.gitpod-dev.com/#https://github.com/gitpod-io/django-locallibrary-tutorial
  3. log out.
  4. should open the dashboard: http://at-returnto.staging.gitpod-dev.com/api/#?host=github.com&returnTo=https://github.com/gitpod-io/gitpod/pull/2879

Copy link
Contributor

@csweichel csweichel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works as advertised. LGTM.

@AlexTugarev AlexTugarev merged commit 8ca431f into master Jan 13, 2021
@AlexTugarev AlexTugarev deleted the at/returnTo branch January 13, 2021 13:45
@AlexTugarev
Copy link
Member Author

AlexTugarev commented Jun 22, 2021

Thanks for reporting, @payloadartist! 🙏🏻

Just created an update #4567 to be picked up for https://www.gitpod.io/changelog soon.

@payloadartist
Copy link

payloadartist commented Jun 22, 2021

Thanks for reporting, @payloadartist! 🙏🏻

Just created an update #4567 to be picked up for https://www.gitpod.io/changelog soon.

FYI you can credit me with my Twitter handle - https://twitter.com/payloadartist in the changelog if you want

As I already see someone credited for a security vuln

image

@payloadartist
Copy link

This was assigned CVE-2021-35206 btw

Thanks

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants