Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Covert Redirect" Vulnerability #696

Closed
praihan opened this issue Aug 9, 2016 · 11 comments
Closed

"Covert Redirect" Vulnerability #696

praihan opened this issue Aug 9, 2016 · 11 comments

Comments

@praihan
Copy link

praihan commented Aug 9, 2016
edited
Loading

@lynndylanhurley @booleanbetrayal

I can't seem to find a way to whitelist values for auth_origin_url used here.

Here's a quick description

Here it is in a nutshell: If your web site (example.com) implements an open redirect endpoint - that is, implements a URL that will redirect the browser to any URL given in the URL parameters - AND your redirect copies URL parameters from the incoming URL to the outgoing redirect URL, then it is possible for third parties to exploit this artifact of your web site in a wide variety of nasty ways.

Something like this is currently possible:
http://localhost:3000/auth/:provider/?origin=https://evil.com/capture-access-token

Other than writing my own controller, what is the solution?
@praihan
Copy link
Author

praihan commented Aug 10, 2016

I've used before_action for now, but I still don't think the default set up should have a vulnerability.

@praihan praihan closed this as completed Aug 11, 2016
@booleanbetrayal
Copy link
Collaborator

@prshreshtha - playing catch up. did you close this because you decided this was invalid?

@praihan
Copy link
Author

praihan commented Aug 14, 2016
edited
Loading

No. But you can avoid it by having your own controller. By default, this is still an issue. I think at the very least, the docs should mention it. Personally, I think whitelisting should be in the configuration.

I'm not sure why I had closed the issue. It was probably an error on my part, sorry.

@praihan praihan reopened this Aug 14, 2016
@lynndylanhurley
Copy link
Owner

Does the redirect_whitelist configuration setting address this issue?

https://github.com/lynndylanhurley/devise_token_auth#configuration-cont

@praihan
Copy link
Author

praihan commented Aug 14, 2016

OmniauthCallbacksController doesn't seem to use it like RegistrationsController or PasswordsController. Perhaps changing that is all that is needed. OmniauthTest doesn't have a test case for this either like the other controllers, which makes me think that not using the whitelist might have been intended. Thoughts?

lynndylanhurley added a commit that referenced this issue Aug 14, 2016
@lynndylanhurley
fix #696
2f37b6e
@lynndylanhurley lynndylanhurley mentioned this issue Aug 14, 2016
Merged
@lynndylanhurley
Copy link
Owner

@prshreshtha - does #699 resolve the issue?

@praihan
Copy link
Author

praihan commented Aug 14, 2016

👍

@lynndylanhurley
Copy link
Owner

@prshreshtha - thanks for bringing this up.

@booleanbetrayal - we may want to cut a release to patch this vulnerability. what do you think?

@booleanbetrayal
Copy link
Collaborator

sounds good ... just merged the fix

@booleanbetrayal
Copy link
Collaborator

@lynndylanhurley / @prshreshtha - just built and pushed v0.1.39

@lynndylanhurley
Copy link
Owner

Thanks @booleanbetrayal!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lynndylanhurley @booleanbetrayal @praihan