From 650bd4fad9c517fa8e2cb1bcdb2368fedfd25976 Mon Sep 17 00:00:00 2001 From: Arzumify Date: Thu, 16 May 2024 19:07:54 +0100 Subject: [PATCH] Prevent open redirects from being possible --- main.go | 66 ++++++++++++++++++++++++--------------------- templates/main.html | 12 ++++++--- 2 files changed, 44 insertions(+), 34 deletions(-) diff --git a/main.go b/main.go index 1a644c0..c68d7de 100644 --- a/main.go +++ b/main.go @@ -801,6 +801,42 @@ func main() { redirect_uri := c.Request.URL.Query().Get("redirect_uri") state := c.Request.URL.Query().Get("state") nonce := c.Request.URL.Query().Get("nonce") + deny := c.Request.URL.Query().Get("deny") + + conn := get_db_connection() + + var appidcheck, rdiruricheck string + + if !(rdiruricheck == redirect_uri) { + c.String(401, "Redirect URI does not match") + return + } + + if deny == "true" { + c.Redirect(302, redirect_uri+"?error=access_denied&state="+state) + return + } + + err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appidcheck, &rdiruricheck) + if err != nil { + if errors.Is(err, sql.ErrNoRows) { + fmt.Println(appId) + c.String(401, "OAuth screening failed") + } else { + log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) + } + return + } + + if !(appidcheck == appId) { + fmt.Println(appidcheck, appId) + c.String(401, "OAuth screening failed") + return + } + + if nonce == "none" { + nonce = genSalt(512) + } userid, norows := get_user_from_session(secretKey) @@ -816,36 +852,6 @@ func main() { return } - conn := get_db_connection() - - var appidcheck, rdiruricheck string - - err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appidcheck, &rdiruricheck) - if err != nil { - if errors.Is(err, sql.ErrNoRows) { - fmt.Println(appId) - c.String(401, "OAuth screening failed") - } else { - log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) - } - return - } - - if !(rdiruricheck == redirect_uri) { - c.String(401, "Redirect URI does not match") - return - } - - if !(appidcheck == appId) { - fmt.Println(appidcheck, appId) - c.String(401, "OAuth screening failed") - return - } - - if nonce == "none" { - nonce = genSalt(512) - } - datatemplate := jwt.MapClaims{ "sub": uniqueid[:255], "iss": "https://auth.hectabit.org", diff --git a/templates/main.html b/templates/main.html index 0a6fd98..259004b 100644 --- a/templates/main.html +++ b/templates/main.html @@ -56,11 +56,15 @@ expires = new Date(expireTime).toUTCString(); }); + function deny() { + document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict"; + // Redirect to the redirect_uri so that an open redirect is not possible + window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=true"); + } + function oauth() { document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict"; - - // Send data to example.org using POST request - window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce); + window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=false"); } @@ -76,7 +80,7 @@
- +