Added allowed-url option for secure allowance of custom redirection URLs

samsarahq · Oct 29, 2018 · b094daf · b094daf
1 parent adb695e
commit b094daf
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/main.go b/main.go
@@ -78,6 +78,7 @@ func main() {
 	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "OAuth scope specification")
 	flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
+	flagSet.String("allowed-url", "", "Regexp for allowed redirect URLs")
 
 	flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")
 

diff --git a/oauthproxy.go b/oauthproxy.go
@@ -56,6 +56,7 @@ type OAuthProxy struct {
 	AuthOnlyPath      string
 
 	redirectURL         *url.URL // the url to receive requests at
+	allowedURL          string
 	provider            providers.Provider
 	ProxyPrefix         string
 	SignInMessage       string
@@ -233,6 +234,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 		provider:           opts.provider,
 		serveMux:           serveMux,
 		redirectURL:        redirectURL,
+		allowedURL:         opts.AllowedURL,
 		skipAuthRegex:      opts.SkipAuthRegex,
 		skipAuthPreflight:  opts.SkipAuthPreflight,
 		compiledRegex:      opts.CompiledRegex,
@@ -463,12 +465,21 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
 	if err != nil {
 		return
 	}
-
 	redirect = req.Form.Get("rd")
-	if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
-		redirect = "/"
+	if p.allowedURL != "" {
+		matched, err := regexp.MatchString(p.allowedURL, redirect)
+		if err != nil {
+			log.Printf("error parsing regexp %s", err)
+			return redirect, err
+		}
+		if !matched {
+			redirect = "/"
+		}
+	} else {
+		if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
+			redirect = "/"
+		}
 	}
-
 	return
 }
 
@@ -600,11 +611,20 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 		p.ErrorPage(rw, 403, "Permission Denied", "csrf failed")
 		return
 	}
-
-	if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
-		redirect = "/"
+	if p.allowedURL != "" {
+		matched, err := regexp.MatchString(p.allowedURL, redirect)
+		if err != nil {
+			log.Printf("error parsing regexp %s", err)
+			return
+		}
+		if !matched {
+			redirect = "/"
+		}
+	} else {
+		if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
+			redirect = "/"
+		}
 	}
-
 	// set cookie, or deny
 	if p.Validator(session.Email) && p.provider.ValidateGroup(session.Email) {
 		log.Printf("%s authentication complete %s", remoteAddr, session)

diff --git a/options.go b/options.go
@@ -41,6 +41,7 @@ type Options struct {
 	DisplayHtpasswdForm      bool     `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
 	CustomTemplatesDir       string   `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
 	Footer                   string   `flag:"footer" cfg:"footer"`
+	AllowedURL               string   `flag:"allowed-url" cfg:"allowed-url"`
 
 	CookieName     string        `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
 	CookieSecret   string        `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`