Skip to content

Commit

Permalink
feat: also allow localhost equivalent IP addresses (#3778)
Browse files Browse the repository at this point in the history
Instead of only checking for "localhost", also validate through
net.ParseIP + IsLoopback whether the host is numerically localhost

Signed-off-by: Daniel Sonck <daniel@sonck.nl>
  • Loading branch information
dsonck92 authored Oct 7, 2024
1 parent 6c77662 commit e7c0682
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 4 deletions.
18 changes: 14 additions & 4 deletions server/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -668,19 +668,29 @@ func validateRedirectURI(client storage.Client, redirectURI string) bool {
return true
}

// verify that the host is of form "http://localhost:(port)(path)" or "http://localhost(path)"
// verify that the host is of form "http://localhost:(port)(path)", "http://localhost(path)" or numeric form like
// "http://127.0.0.1:(port)(path)"
u, err := url.Parse(redirectURI)
if err != nil {
return false
}
if u.Scheme != "http" {
return false
}
if u.Host == "localhost" {
return isHostLocal(u.Host)
}

func isHostLocal(host string) bool {
if host == "localhost" || net.ParseIP(host).IsLoopback() {
return true
}
host, _, err := net.SplitHostPort(u.Host)
return err == nil && host == "localhost"

host, _, err := net.SplitHostPort(host)
if err != nil {
return false
}

return host == "localhost" || net.ParseIP(host).IsLoopback()
}

func validateConnectorID(connectors []storage.Connector, connectorID string) bool {
Expand Down
21 changes: 21 additions & 0 deletions server/oauth2_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,27 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "http://localhost",
wantValid: true,
},
{
client: storage.Client{
Public: true,
},
redirectURI: "http://127.0.0.1:8080/",
wantValid: true,
},
{
client: storage.Client{
Public: true,
},
redirectURI: "http://127.0.0.1:991/bar",
wantValid: true,
},
{
client: storage.Client{
Public: true,
},
redirectURI: "http://127.0.0.1",
wantValid: true,
},
// Both Public + RedirectURIs configured: Could e.g. be a PKCE-enabled web app.
{
client: storage.Client{
Expand Down

0 comments on commit e7c0682

Please sign in to comment.