From 8c7fe1f00874ea94161570c040136c1b1a53d3a2 Mon Sep 17 00:00:00 2001 From: Vladimir Shushlin Date: Mon, 21 Mar 2022 16:11:47 +0700 Subject: fix: validate that session was issued on the same host Currently, sessions are valid across all domains. And our auth tokens are also valid for all pages projects user has access to. This means that cookie from one website can be reused on the another. Attackers can steal cookies in many different ways. The easiest way would be to setup a validated custom domain, then proxy all requests to pages server, but log the cookies. Once you have a cookie for attackers domain, you can reuse it on any other pages domain the target user has access to. This commit saves current domain in the session and validates it when reading the session. Changelog: security --- internal/auth/session.go | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 internal/auth/session.go (limited to 'internal/auth/session.go') diff --git a/internal/auth/session.go b/internal/auth/session.go new file mode 100644 index 00000000..40ab6467 --- /dev/null +++ b/internal/auth/session.go @@ -0,0 +1,61 @@ +package auth + +import ( + "net/http" + + "github.com/gorilla/sessions" + + "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" + "gitlab.com/gitlab-org/gitlab-pages/internal/request" +) + +type hostSession struct { + *sessions.Session +} + +const sessionHostKey = "_session_host" + +func (s *hostSession) Save(r *http.Request, w http.ResponseWriter) error { + s.Session.Values[sessionHostKey] = r.Host + + return s.Session.Save(r, w) +} + +func (a *Auth) getSessionFromStore(r *http.Request) (*hostSession, error) { + session, err := a.store.Get(r, "gitlab-pages") + + if session != nil { + // Cookie just for this domain + session.Options.Path = "/" + session.Options.HttpOnly = true + session.Options.Secure = request.IsHTTPS(r) + session.Options.MaxAge = authSessionMaxAge + + if session.Values[sessionHostKey] == nil || session.Values[sessionHostKey] != r.Host { + session.Values = make(map[interface{}]interface{}) + } + } + + return &hostSession{session}, err +} + +func (a *Auth) checkSession(w http.ResponseWriter, r *http.Request) (*hostSession, error) { + // Create or get session + session, errsession := a.getSessionFromStore(r) + + if errsession != nil { + // Save cookie again + errsave := session.Save(r, w) + if errsave != nil { + logRequest(r).WithError(errsave).Error(saveSessionErrMsg) + captureErrWithReqAndStackTrace(errsave, r) + httperrors.Serve500(w) + return nil, errsave + } + + http.Redirect(w, r, getRequestAddress(r), http.StatusFound) + return nil, errsession + } + + return session, nil +} -- cgit v1.2.3