synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: limit OAuth redirects to local paths (#14585)

Browse Source 
- This prevents a malicious user from crafting a redirect
  URL to a nefarious site under their control.
This commit is contained in:
Jon Ayers
2024-09-10 15:58:50 +01:00
committed by GitHub
parent 2a9234e9ba
commit 328e69629c
8 changed files with 183 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
coderd/coderdtest/coderdtest.go
View File

@ -1143,7 +1143,7 @@ func MustWorkspace(t testing.TB, client *codersdk.Client, workspaceID uuid.UUID)
// RequestExternalAuthCallback makes a request with the proper OAuth2 state cookie
// to the external auth callback endpoint.
func RequestExternalAuthCallback(t testing.TB, providerID string, client *codersdk.Client) *http.Response {
func RequestExternalAuthCallback(t testing.TB, providerID string, client *codersdk.Client, opts ...func(*http.Request)) *http.Response {
client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
}
@ -1160,6 +1160,9 @@ func RequestExternalAuthCallback(t testing.TB, providerID string, client *coders
Name: codersdk.SessionTokenCookie,
Value: client.SessionToken(),
})
for _, opt := range opts {
opt(req)
}
res, err := client.HTTPClient.Do(req)
require.NoError(t, err)
t.Cleanup(func() {