-
Notifications
You must be signed in to change notification settings - Fork 969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Allow wildcard domains for redirect_to checks #1528
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)
driver/config/config.go
Outdated
continue | ||
} | ||
eTLD, icann := publicsuffix.PublicSuffix(parsed.Host) | ||
if parsed.Host[:1] == "*" && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This panics if host
is an empty string. Also, what about foo.*.bar
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of the cases I can think of is adding some return domain eg: page1.foo.bar or page2.foo.bar where those changes are valid. If we want to make more complicated situations work I would probably go with regex, but is this case really needed?
@@ -55,6 +55,14 @@ func SecureRedirectOverrideDefaultReturnTo(defaultReturnTo *url.URL) SecureRedir | |||
} | |||
} | |||
|
|||
// SecureRedirectToIsWhitelisted validates if the redirect_to param is allowed for a given wildcard | |||
func SecureRedirectToIsWhiteListedHost(returnTo *url.URL, allowed url.URL) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please add tests for this?
x/http_secure_redirect.go
Outdated
// SecureRedirectToIsWhitelisted validates if the redirect_to param is allowed for a given wildcard | ||
func SecureRedirectToIsWhiteListedHost(returnTo *url.URL, allowed url.URL) bool { | ||
if allowed.Host != "" && allowed.Host[:1] == "*" { | ||
return strings.HasSuffix(returnTo.Host, allowed.Host[1:]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the plan for case sensitivity here?
- On documentation, the function docstring is ambiguous,
- when wildcards are used, the match is case-sensitive,
- when wildcards are not used, the match is case-insensitive.
To follow the principle of least surprise, you might want to do one of
- Do strings.HasSuffix(strings.ToLower(returnTo.Host), strings.ToLower(allowed.Host[1:]) here to be case-insensitive.
- .. or do return allowed.Host == returnTo.Host few lines later to be case-sensitive.
- .. or mention this semi-case-insensitivity behavior in the function comment if it is intentional and preferred.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hostnames are case insensitive, so the correct approach would be to have the wildcard matches also case insensitive :)
While the PR is being worked on I will mark it as a draft. That declutters our review backlog :) Once you're done with your changes and would like someone to review them, mark the PR as ready and request a review from one of the maintainers. Thank you! |
@abador are you still up for the changes or should I close this? |
…rect-to-domains # Conflicts: # driver/config/config.go # go.mod
@aeneasr it seems that e2e tests are failing, but it doesn't look it's connected to my changes. If we really need a solution that works with wildcards inside a subdomain please ping me |
I tried pushing some changes required for merging the PR to your fork & branch, but it appears that I am not allowed to do so 😕
But the good news is, giving access is easy! If the repository belongs to an organization, please add me for the project as a collaborator! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! Now, one last thing :) We need to document it! Could you please add some docs here: https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion
Thank you! 🙏
I've added some more docs in my last commit. |
Great stuff! |
Updated example for `allowed_return_urls` to include wildcard url. [Merged PR from 2021](ory#1528)
Related issue
resolves #943
@aeneasr
Proposed changes
Allow to whitelist a wildcard domain. Domains are filtered out using golang.org/x/net/publicsuffix
Checklist
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further comments