fix: limit OAuth redirects to local paths (#14585)

- This prevents a malicious user from crafting a redirect URL to a nefarious site under their control.
2025-07-03 16:13:58 +00:00 · 2024-09-10 15:58:50 +01:00
parent 2a9234e9ba
commit 328e69629c
8 changed files with 183 additions and 20 deletions
--- a/coderd/externalauth.go
+++ b/coderd/externalauth.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"

 	"github.com/sqlc-dev/pqtype"
 	"golang.org/x/sync/errgroup"
@ -306,6 +307,7 @@ func (api *API) externalAuthCallback(externalAuthConfig *externalauth.Config) ht
 			// FE know not to enter the authentication loop again, and instead display an error.
 			redirect = fmt.Sprintf("/external-auth/%s?redirected=true", externalAuthConfig.ID)
 		}
+		redirect = uriFromURL(redirect)
 		http.Redirect(rw, r, redirect, http.StatusTemporaryRedirect)
 	}
 }
@ -401,3 +403,12 @@ func ExternalAuthConfig(cfg *externalauth.Config) codersdk.ExternalAuthLinkProvi
 		AllowValidate: cfg.ValidateURL != "",
 	}
 }
+
+func uriFromURL(u string) string {
+	uri, err := url.Parse(u)
+	if err != nil {
+		return "/"
+	}
+
+	return uri.RequestURI()
+}