fix: Strip session_token cookie from app proxy requests (#3528)

Fixes coder/security#1.
2025-07-13 21:36:50 +00:00 · 2022-08-17 12:09:45 -05:00
parent 000e1a5ef2
commit c3f946737c
8 changed files with 94 additions and 16 deletions
--- a/coderd/httpmw/oauth2.go
+++ b/coderd/httpmw/oauth2.go
@ -13,11 +13,6 @@ import (
 	"github.com/coder/coder/cryptorand"
 )

-const (
-	oauth2StateCookieName    = "oauth_state"
-	oauth2RedirectCookieName = "oauth_redirect"
-)
-
 type oauth2StateKey struct{}

 type OAuth2State struct {
@ -71,7 +66,7 @@ func ExtractOAuth2(config OAuth2Config) func(http.Handler) http.Handler {
 				}

 				http.SetCookie(rw, &http.Cookie{
-					Name:     oauth2StateCookieName,
+					Name:     codersdk.OAuth2StateKey,
 					Value:    state,
 					Path:     "/",
 					HttpOnly: true,
@ -80,7 +75,7 @@ func ExtractOAuth2(config OAuth2Config) func(http.Handler) http.Handler {
 				// Redirect must always be specified, otherwise
 				// an old redirect could apply!
 				http.SetCookie(rw, &http.Cookie{
-					Name:     oauth2RedirectCookieName,
+					Name:     codersdk.OAuth2RedirectKey,
 					Value:    r.URL.Query().Get("redirect"),
 					Path:     "/",
 					HttpOnly: true,
@ -98,10 +93,10 @@ func ExtractOAuth2(config OAuth2Config) func(http.Handler) http.Handler {
 				return
 			}

-			stateCookie, err := r.Cookie(oauth2StateCookieName)
+			stateCookie, err := r.Cookie(codersdk.OAuth2StateKey)
 			if err != nil {
 				httpapi.Write(rw, http.StatusUnauthorized, codersdk.Response{
-					Message: fmt.Sprintf("Cookie %q must be provided.", oauth2StateCookieName),
+					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.OAuth2StateKey),
 				})
 				return
 			}
@ -113,7 +108,7 @@ func ExtractOAuth2(config OAuth2Config) func(http.Handler) http.Handler {
 			}

 			var redirect string
-			stateRedirect, err := r.Cookie(oauth2RedirectCookieName)
+			stateRedirect, err := r.Cookie(codersdk.OAuth2RedirectKey)
 			if err == nil {
 				redirect = stateRedirect.Value
 			}
--- a/coderd/httpmw/oauth2_test.go
+++ b/coderd/httpmw/oauth2_test.go
@ -12,6 +12,7 @@ import (
 	"golang.org/x/oauth2"

 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/codersdk"
 )

 type testOAuth2Provider struct {
@ -71,7 +72,7 @@ func TestOAuth2(t *testing.T) {
 		t.Parallel()
 		req := httptest.NewRequest("GET", "/?code=something&state=test", nil)
 		req.AddCookie(&http.Cookie{
-			Name:  "oauth_state",
+			Name:  codersdk.OAuth2StateKey,
 			Value: "mismatch",
 		})
 		res := httptest.NewRecorder()
@ -82,7 +83,7 @@ func TestOAuth2(t *testing.T) {
 		t.Parallel()
 		req := httptest.NewRequest("GET", "/?code=test&state=something", nil)
 		req.AddCookie(&http.Cookie{
-			Name:  "oauth_state",
+			Name:  codersdk.OAuth2StateKey,
 			Value: "something",
 		})
 		req.AddCookie(&http.Cookie{