Merge pull request from GHSA-7cc2-r658-7xpf

This fixes a vulnerability with the `CODER_OIDC_EMAIL_DOMAIN` option, where users with a superset of the allowed email domain would be allowed to login. For example, given `CODER_OIDC_EMAIL_DOMAIN=google.com`, a user would be permitted entry if their email domain was `colin-google.com`.
2025-07-03 16:13:58 +00:00 · 2024-03-04 11:52:03 -06:00
parent 8f190b2016
commit 4439a920e4
2 changed files with 21 additions and 2 deletions
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -798,6 +798,17 @@ func TestUserOIDC(t *testing.T) {
 			"kwc.io",
 		},
 		StatusCode: http.StatusOK,
+	}, {
+		Name: "EmailDomainSubset",
+		IDTokenClaims: jwt.MapClaims{
+			"email":          "colin@gmail.com",
+			"email_verified": true,
+		},
+		AllowSignups: true,
+		EmailDomain: []string{
+			"mail.com",
+		},
+		StatusCode: http.StatusForbidden,
 	}, {
 		Name:          "EmptyClaims",
 		IDTokenClaims: jwt.MapClaims{},