more forgiving and robust redirect url capture

accept rd param and X-Auth-Request-Redirect header from both /sign_in and /start handlers avoid accidental redirect to either /sign_in or /start handlers
ploxiln · Feb 2, 2020 · c9fa775 · c9fa775
1 parent 3a7c77f
commit c9fa775
Showing 1 changed file with 28 additions and 17 deletions.
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -450,8 +450,11 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
 	if err != nil {
 		return
 	}
-
 	redirect = req.Form.Get("rd")
+
+	if redirect == "" {
+		redirect = req.Header.Get("X-Auth-Request-Redirect")
+	}
 	if !p.IsValidRedirect(redirect) {
 		redirect = "/"
 	}
@@ -460,23 +463,25 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
 }
 
 func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
-	switch {
-	case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+	url, err := url.Parse(redirect)
+	if err != nil {
+		return false
+	}
+	if strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") {
 		return true
-	case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
-		url, err := url.Parse(redirect)
-		if err != nil {
-			return false
-		}
+	}
+	if strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://") {
 		for _, domain := range p.whitelistDomains {
-			if (url.Host == domain) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(url.Host, domain)) {
+			if url.Host == domain {
+				return true
+			}
+			if strings.HasPrefix(domain, ".") && strings.HasSuffix(url.Host, domain) {
 				return true
 			}
 		}
 		return false
-	default:
-		return false
 	}
+	return false
 }
 
 func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) (ok bool) {
@@ -526,14 +531,13 @@ func (p *OAuthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 }
 
 func (p *OAuthProxy) SignIn(rw http.ResponseWriter, req *http.Request) {
-	redirect, err := p.GetRedirect(req)
-	if err != nil {
-		p.ErrorPage(rw, 500, "Internal Error", err.Error())
-		return
-	}
-
 	user, ok := p.ManualSignIn(rw, req)
 	if ok {
+		redirect, err := p.GetRedirect(req)
+		if err != nil {
+			p.ErrorPage(rw, 500, "Internal Error", err.Error())
+			return
+		}
 		session := &providers.SessionState{User: user}
 		p.SaveSession(rw, req, session)
 		http.Redirect(rw, req, redirect, 302)
@@ -563,6 +567,13 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 		p.ErrorPage(rw, 500, "Internal Error", err.Error())
 		return
 	}
+	redirect_url := req.URL.RequestURI()
+	if req.Header.Get("X-Auth-Request-Redirect") != "" {
+		redirect_url = req.Header.Get("X-Auth-Request-Redirect")
+	}
+	if redirect_url == p.OAuthStartPath {
+		redirect_url = "/"
+	}
 	redirectURI := p.GetRedirectURI(req.Host)
 	http.Redirect(rw, req, p.provider.GetLoginURL(redirectURI, fmt.Sprintf("%v:%v", nonce, redirect)), 302)
 }