Security: protect against open redirects #415

afeld · 2022-04-11T19:57:16Z

The origin set in session.py is used for history and (as of #414) redirection after login.

Lines 237 to 239 in c8689c6

    
           if origin is not None: 
        
               logger.debug(f"Update session {_ORIGIN}") 
        
               request.session[_ORIGIN] = origin

Currently, all cases where the origin are set are "trusted", but I could imagine a case where we take that path from a query parameter, leaving ourselves vulnerable to an open redirect vulnerability. We should validate the URL/path being passed.

Info about open redirects:

The text was updated successfully, but these errors were encountered:

thekaveman · 2022-04-11T20:18:51Z

A straightforward way to implement this protection might be to move the usage of Django's reverse() helper from the callers of update() into the function itself.

That would embed and enforce the assumption that the origin is a safe identifier for a known Django application route. A call to reverse() with an invalid route name or a random external URL would fail, causing the update to fail.

E.g. where right now, say in a view, we might call update() like:

session.update(request, origin=reverse("eligibility:start"))

We change the session.update() code as follows:

if origin is not None: 
     logger.debug(f"Update session {_ORIGIN}") 
     request.session[_ORIGIN] = reverse(origin)

And callers like:

session.update(request, origin="eligibility:start")

Though we have a few places where a direct URL is passed that would need to be updated, e.g. in the agency_index() view function. In that example we'd need to pass an extra parameter into the update() method to be able to resolve the agency's index page with the core:agency_index route definition.

afeld · 2022-04-11T20:55:49Z

How Django does it:

https://github.com/django/django/blob/13a9cde133ac82e33dd091ca9bb9c677804afbe1/django/contrib/auth/views.py#L74-L84

afeld · 2022-05-09T23:05:05Z

Looked through the app and we don't have any redirects coming from parameters, so not going to worry about this for now.

afeld added bug Something isn't working back-end Django views, sessions, middleware, models, migrations etc. labels Apr 11, 2022

afeld added this to Digital Services Apr 11, 2022

afeld moved this to Icebox in Digital Services Apr 11, 2022

thekaveman moved this from Icebox to Backlog in Digital Services Apr 11, 2022

afeld mentioned this issue Apr 12, 2022

Security: add tests #418

Closed

4 tasks

thekaveman added security Changes to improve or maintain the availability and resilience of the app and removed bug Something isn't working labels Apr 12, 2022

thekaveman moved this from Backlog to This Sprint in Digital Services Apr 12, 2022

thekaveman moved this from This Sprint to Backlog in Digital Services Apr 12, 2022

thekaveman mentioned this issue Apr 20, 2022

Add tests for Django app #413

Closed

12 tasks

afeld removed the status in Digital Services Apr 27, 2022

afeld closed this as completed May 9, 2022

afeld moved this to Done in Digital Services May 9, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: protect against open redirects #415

Security: protect against open redirects #415

afeld commented Apr 11, 2022

thekaveman commented Apr 11, 2022 •

edited

Loading

afeld commented Apr 11, 2022

afeld commented May 9, 2022

Security: protect against open redirects #415

Security: protect against open redirects #415

Comments

afeld commented Apr 11, 2022

thekaveman commented Apr 11, 2022 • edited Loading

afeld commented Apr 11, 2022

afeld commented May 9, 2022

thekaveman commented Apr 11, 2022 •

edited

Loading