Open redirect in oauth path

internal/server.go

@@ -6,6 +6,8 @@ import (
 
 	"github.com/containous/traefik/pkg/rules"
 	"github.com/sirupsen/logrus"
+
+	"strings"
 )
 
 type Server struct {
@@ -146,6 +148,14 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 			return
 		}
 
+		//Validate redirect
+		redirectBaseUseToForgeStatePrameter := redirectBase(r)
+		if !strings.HasPrefix(redirect+"/", redirectBaseUseToForgeStatePrameter+"/") {
+			logger.Errorf("Redirection %v does not match the redirectBase", redirect)
+			http.Error(w, "Not authorized", 401)
+			return
+		}
+
 		// Generate cookie
 		http.SetCookie(w, MakeCookie(r, user.Email))
 		logger.WithFields(logrus.Fields{

internal/server_test.go

@@ -130,21 +130,31 @@ func TestServerAuthCallback(t *testing.T) {
 	assert.Equal(401, res.StatusCode, "auth callback without cookie shouldn't be authorised")
 
 	// Should catch invalid csrf cookie
-	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
+	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://example.com")
 	c := MakeCSRFCookie(req, "nononononononononononononononono")
 	res, _ = doHttpRequest(req, c)
 	assert.Equal(401, res.StatusCode, "auth callback with invalid cookie shouldn't be authorised")
 
 	// Should redirect valid request
-	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
+	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://example.com/redirect")
 	c = MakeCSRFCookie(req, "12345678901234567890123456789012")
 	res, _ = doHttpRequest(req, c)
 	assert.Equal(307, res.StatusCode, "valid auth callback should be allowed")
 
 	fwd, _ := res.Location()
 	assert.Equal("http", fwd.Scheme, "valid request should be redirected to return url")
-	assert.Equal("redirect", fwd.Host, "valid request should be redirected to return url")
-	assert.Equal("", fwd.Path, "valid request should be redirected to return url")
+	assert.Equal("example.com", fwd.Host, "valid request should be redirected to return url")
+	assert.Equal("/redirect", fwd.Path, "valid request should be redirected to return url")
+
+	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://example.com.notallowed")
+	c = MakeCSRFCookie(req, "12345678901234567890123456789012")
+	res, _ = doHttpRequest(req, c)
+	assert.Equal(401, res.StatusCode, "redirect domain cannot differ from the host defined in the state parameter")
+
+	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://notallowed.example.com")
+	c = MakeCSRFCookie(req, "12345678901234567890123456789012")
+	res, _ = doHttpRequest(req, c)
+	assert.Equal(401, res.StatusCode, "subdomain cannot differ from the host defined in the state parameter")
 }
 
 func TestServerDefaultAction(t *testing.T) {
@@ -355,6 +365,7 @@ func newHttpRequest(method, dest, uri string) *http.Request {
 	p, _ := url.Parse(dest)
 	r.Header.Add("X-Forwarded-Method", method)
 	r.Header.Add("X-Forwarded-Host", p.Host)
+	r.Header.Add("X-Forwarded-Proto", p.Scheme)
 	r.Header.Add("X-Forwarded-Uri", uri)
 	return r
 }