GHSA-qqxw-m5fj-f7gv

Suggest an improvement
Source
https://github.com/advisories/GHSA-qqxw-m5fj-f7gv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qqxw-m5fj-f7gv/GHSA-qqxw-m5fj-f7gv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qqxw-m5fj-f7gv
Aliases
Published
2021-12-20T18:02:38Z
Modified
2023-12-06T01:00:35.764592Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L CVSS Calculator
Summary
The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
Details

Impact

An open redirect vulnerability has been found in oauth2_proxy. Anyone who uses oauth2_proxy may potentially be impacted.

For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.

tl;dr: People's authentication tokens could be silently harvested by an attacker. e.g: facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/

Patches

@sauyon found the issue, and has submitted a patch.

diff --git a/oauthproxy.go b/oauthproxy.go
index 72ab580..f420df6 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
 // IsValidRedirect checks whether the redirect URL is whitelisted
 func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
    switch {
-   case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+   case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
        return true
    case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
        redirectURL, err := url.Parse(redirect)

This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.

Workarounds

At this stage there is no work around.

References

Affected packages

Go / github.com/oauth2-proxy/oauth2-proxy

Package

Name
github.com/oauth2-proxy/oauth2-proxy
View open source insights on deps.dev
Purl
pkg:golang/github.com/oauth2-proxy/oauth2-proxy

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0