Harden redir target security checks
This commit is contained in:
parent
1547939604
commit
327aabaf46
|
@ -14,17 +14,19 @@ public class CookieProxyController : Controller {
|
||||||
// Check if we are on the correct domain
|
// Check if we are on the correct domain
|
||||||
if (Request.Host.Host != Vars.AuthProxySubdomain + "." + Vars.UpstreamPrimaryDomain)
|
if (Request.Host.Host != Vars.AuthProxySubdomain + "." + Vars.UpstreamPrimaryDomain)
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
|
|
||||||
if (!Request.Cookies.ContainsKey("authelia_session")
|
if (!Request.Cookies.ContainsKey("authelia_session")
|
||||||
|| string.IsNullOrWhiteSpace(dstDomain)
|
|| string.IsNullOrWhiteSpace(dstDomain)
|
||||||
|| !Vars.PermittedDomains.Contains(dstDomain)
|
|| !Vars.PermittedDomains.Contains(dstDomain)
|
||||||
|| string.IsNullOrWhiteSpace(tgt)) {
|
|| string.IsNullOrWhiteSpace(tgt)
|
||||||
|
|| !new Uri(tgt).Host.EndsWith(dstDomain)) {
|
||||||
return BadRequest("Bad request.");
|
return BadRequest("Bad request.");
|
||||||
}
|
}
|
||||||
|
|
||||||
var targetUrl =
|
var targetUrl = $"https://{Vars.AuthProxySubdomain}.{dstDomain}/api/cookieproxy_stage_two?dstDomain={HttpUtility.UrlEncode(dstDomain)}&tgt={HttpUtility.UrlEncode(tgt)}";
|
||||||
$"https://{Vars.AuthProxySubdomain}.{dstDomain}/api/cookieproxy_stage_two?dstDomain={HttpUtility.UrlEncode(dstDomain)}&tgt={HttpUtility.UrlEncode(tgt)}";
|
return
|
||||||
return Content($"Redirecting to cookie proxy (stage two) on the destination domain... <form method=\"POST\" action=\"{targetUrl}\"> <input type=\"hidden\" name=\"cookie\" value=\"{HttpUtility.HtmlEncode(Request.Cookies["authelia_session"])}\"><button type=\"submit\">Click here</button> if you are not redirected automatically</form><script>document.querySelector(\"form\").submit();</script>", "text/html");
|
Content($"Redirecting to cookie proxy (stage two) on the destination domain... <form method=\"POST\" action=\"{targetUrl}\"> <input type=\"hidden\" name=\"cookie\" value=\"{HttpUtility.HtmlEncode(Request.Cookies["authelia_session"])}\"><button type=\"submit\">Click here</button> if you are not redirected automatically</form><script>document.querySelector(\"form\").submit();</script>",
|
||||||
|
"text/html");
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPost]
|
[HttpPost]
|
||||||
|
@ -35,7 +37,11 @@ public class CookieProxyController : Controller {
|
||||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
|
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
|
|
||||||
if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(cookie) || string.IsNullOrWhiteSpace(tgt)) {
|
if (string.IsNullOrWhiteSpace(dstDomain)
|
||||||
|
|| !Vars.PermittedDomains.Contains(dstDomain)
|
||||||
|
|| string.IsNullOrWhiteSpace(cookie)
|
||||||
|
|| string.IsNullOrWhiteSpace(tgt)
|
||||||
|
|| !new Uri(tgt).Host.EndsWith(dstDomain)) {
|
||||||
return BadRequest("Bad request.");
|
return BadRequest("Bad request.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ public class RedirectController : Controller {
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(tgt)) {
|
if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(tgt) || !new Uri(tgt).Host.EndsWith(dstDomain)) {
|
||||||
Response.StatusCode = StatusCodes.Status421MisdirectedRequest;
|
Response.StatusCode = StatusCodes.Status421MisdirectedRequest;
|
||||||
return BadRequest("Bad request.");
|
return BadRequest("Bad request.");
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue