diff options
| author | Vladimir Shushlin <v.shushlin@gmail.com> | 2022-03-21 12:11:47 +0300 |
|---|---|---|
| committer | Vladimir Shushlin <v.shushlin@gmail.com> | 2022-03-24 15:40:56 +0300 |
| commit | 9dbeb71c8a99ed0517b3ba44950ee63c00eb6cf6 (patch) | |
| tree | 44f235d989e6ff594e789f190f9dde9196725e02 /test | |
| parent | f6ada25223c6f9b531a1e30da576ee042b361c2e (diff) | |
fix: validate that session was issued on the same host
Currently, sessions are valid across all domains.
And our auth tokens are also valid for all pages projects
user has access to.
This means that cookie from one website can be reused on the
another.
Attackers can steal cookies in many different ways.
The easiest way would be to setup a validated custom domain,
then proxy all requests to pages server, but log the cookies.
Once you have a cookie for attackers domain, you can reuse it
on any other pages domain the target user has access to.
This commit saves current domain in the session and validates it
when reading the session.
Changelog: security
Diffstat (limited to 'test')
| -rw-r--r-- | test/acceptance/auth_test.go | 66 |
1 files changed, 41 insertions, 25 deletions
diff --git a/test/acceptance/auth_test.go b/test/acceptance/auth_test.go index d7677622..dbc7b900 100644 --- a/test/acceptance/auth_test.go +++ b/test/acceptance/auth_test.go @@ -120,7 +120,7 @@ func TestWhenLoginCallbackWithUnencryptedCode(t *testing.T) { } // Go to auth page with correct state will cause fetching the token - authrsp, err := GetPageFromListenerWithHeaders(t, httpsListener, "projects.gitlab-example.com", "/auth?code=1&state="+ + authrsp, err := GetPageFromListenerWithHeaders(t, httpsListener, "group.auth.gitlab-example.com", "/auth?code=1&state="+ url.Query().Get("state"), header) require.NoError(t, err) @@ -153,60 +153,76 @@ func TestAccessControlUnderCustomDomain(t *testing.T) { } for name, tt := range tests { t.Run(name, func(t *testing.T) { + // visit to custom domain rsp, err := GetRedirectPage(t, httpListener, tt.domain, tt.path) require.NoError(t, err) testhelpers.Close(t, rsp.Body) - cookie := rsp.Header.Get("Set-Cookie") + domainCookie := rsp.Header.Get("Set-Cookie") - url, err := url.Parse(rsp.Header.Get("Location")) + projectProxyURL, err := url.Parse(rsp.Header.Get("Location")) require.NoError(t, err) - state := url.Query().Get("state") - require.Equal(t, "http://"+tt.domain, url.Query().Get("domain")) + state := projectProxyURL.Query().Get("state") + require.Equal(t, "http://"+tt.domain, projectProxyURL.Query().Get("domain")) - pagesrsp, err := GetRedirectPage(t, httpListener, url.Host, url.Path+"?"+url.RawQuery) + // visit projects.gitlab-example.com?state=something + projectsProxyRsp, err := GetRedirectPage(t, httpListener, + projectProxyURL.Host, projectProxyURL.Path+"?"+projectProxyURL.RawQuery) require.NoError(t, err) - testhelpers.Close(t, pagesrsp.Body) + testhelpers.Close(t, projectsProxyRsp.Body) - pagescookie := pagesrsp.Header.Get("Set-Cookie") + projectsCookie := projectsProxyRsp.Header.Get("Set-Cookie") - // Go to auth page with correct state will cause fetching the token - authrsp, err := GetRedirectPageWithCookie(t, httpListener, tt.domain, "/auth?code=1&state="+ - state, pagescookie) + // visit projects.gitlab-example.com?state=something&code=1 + authRsp, err := GetRedirectPageWithCookie(t, httpListener, projectProxyURL.Host, "/auth?code=1&state="+ + state, projectsCookie) require.NoError(t, err) - testhelpers.Close(t, authrsp.Body) + testhelpers.Close(t, authRsp.Body) - url, err = url.Parse(authrsp.Header.Get("Location")) + backDomainURL, err := projectProxyURL.Parse(authRsp.Header.Get("Location")) require.NoError(t, err) // Will redirect to custom domain - require.Equal(t, tt.domain, url.Host) - code := url.Query().Get("code") + require.Equal(t, tt.domain, backDomainURL.Host) + code := backDomainURL.Query().Get("code") require.NotEqual(t, "1", code) - authrsp, err = GetRedirectPageWithCookie(t, httpListener, tt.domain, "/auth?code="+code+"&state="+ - state, cookie) + // visit domain.com/auth?code&state will set the cookie and redirect back to original page + selfRedirectRsp, err := GetRedirectPageWithCookie(t, httpListener, tt.domain, "/auth?code="+code+"&state="+ + state, domainCookie) require.NoError(t, err) - testhelpers.Close(t, authrsp.Body) + testhelpers.Close(t, selfRedirectRsp.Body) // Will redirect to the page - cookie = authrsp.Header.Get("Set-Cookie") - require.Equal(t, http.StatusFound, authrsp.StatusCode) + domainCookie = selfRedirectRsp.Header.Get("Set-Cookie") + require.Equal(t, http.StatusFound, selfRedirectRsp.StatusCode) - url, err = url.Parse(authrsp.Header.Get("Location")) + selfRedirectURL, err := projectProxyURL.Parse(selfRedirectRsp.Header.Get("Location")) require.NoError(t, err) // Will redirect to custom domain - require.Equal(t, "http://"+tt.domain+"/"+tt.path, url.String()) + require.Equal(t, "http://"+tt.domain+"/"+tt.path, selfRedirectURL.String()) // Fetch page in custom domain - authrsp, err = GetRedirectPageWithCookie(t, httpListener, tt.domain, tt.path, cookie) + authRsp, err = GetRedirectPageWithCookie(t, httpListener, tt.domain, tt.path, domainCookie) require.NoError(t, err) - testhelpers.Close(t, authrsp.Body) - require.Equal(t, http.StatusOK, authrsp.StatusCode) + testhelpers.Close(t, authRsp.Body) + require.Equal(t, http.StatusOK, authRsp.StatusCode) + + // Try to fetch page from another domain + // it should restart the auth process ignoring already existing cookie + secondAuthRsp, err := GetRedirectPageWithCookie(t, httpListener, "group.auth.gitlab-example.com", "/private.project/", domainCookie) + require.NoError(t, err) + testhelpers.Close(t, authRsp.Body) + + secondAuthURL, err := url.Parse(secondAuthRsp.Header.Get("Location")) + require.NoError(t, err) + require.Equal(t, "projects.gitlab-example.com", secondAuthURL.Host) + require.Equal(t, "/auth", secondAuthURL.Path) + require.Equal(t, "http://group.auth.gitlab-example.com", secondAuthURL.Query().Get("domain")) }) } } |