Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oauth2): strict string matching for redirect_uri #82294

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(oauth2): strict string matching for redirect_uri #82294

wants to merge 2 commits into from

Conversation

oioki
Copy link
Member

@oioki oioki commented Dec 18, 2024
edited
Loading

Enforcing strict string matching for redirect_uri for more secure OAuth2 flows according to best practices:

@oioki oioki requested a review from a team December 18, 2024 09:47
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Dec 18, 2024
oioki
oioki commented Dec 18, 2024
View reviewed changes
tests/sentry/models/test_apiapplication.py
@@ -13,15 +13,15 @@ def test_is_valid_redirect_uri(self):
assert app.is_valid_redirect_uri("http://example.com/")
assert app.is_valid_redirect_uri("http://example.com")
assert app.is_valid_redirect_uri("http://example.com/.")
assert app.is_valid_redirect_uri("http://example.com//")
assert app.is_valid_redirect_uri("http://example.com/biz/baz")
assert not app.is_valid_redirect_uri("http://example.com//")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First three examples are normalized to / by user agents. However, the last one is //, considered a different URL:

$ curl -v http://example.com/ 2>&1 | grep GET
> GET / HTTP/1.1
$ curl -v http://example.com 2>&1 | grep GET
> GET / HTTP/1.1
$ curl -v http://example.com/. 2>&1 | grep GET
> GET / HTTP/1.1
$ curl -v http://example.com// 2>&1 | grep GET
> GET // HTTP/1.1

tests/sentry/models/test_apiapplication.py
assert not app.is_valid_redirect_uri("https://example.com/")
assert not app.is_valid_redirect_uri("http://foo.com")
assert not app.is_valid_redirect_uri("http://example.com.foo.com")

assert app.is_valid_redirect_uri("http://sub.example.com/path")
assert app.is_valid_redirect_uri("http://sub.example.com/path/")
assert app.is_valid_redirect_uri("http://sub.example.com/path/bar")
assert not app.is_valid_redirect_uri("http://sub.example.com/path/")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When it's not root of the domain, then the path with and without slash are considered different:

$ curl -v http://example.com/path 2>&1 | grep GET
> GET /path HTTP/1.1
$ curl -v http://example.com/path/ 2>&1 | grep GET
> GET /path/ HTTP/1.1

@getsantry
Copy link
Contributor

getsantry bot commented Jan 9, 2025

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@getsantry getsantry bot added Stale and removed Stale labels Jan 9, 2025
@getsantry
Copy link
Contributor

getsantry bot commented Feb 6, 2025

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@getsantry getsantry bot added the Stale label Feb 6, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 6, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #82294      +/-   ##
==========================================
+ Coverage   87.60%   87.65%   +0.04%     
==========================================
  Files        9647     9502     -145     
  Lines      545335   543030    -2305     
  Branches    21428    21009     -419     
==========================================
- Hits       477732   475983    -1749     
+ Misses      67260    66641     -619     
- Partials      343      406      +63

@getsantry getsantry bot removed the Stale label Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@oioki