Skip to content

[server/auth] ensure safe returnTo param#2879

Merged
AlexTugarev merged 1 commit into
masterfrom
at/returnTo
Jan 13, 2021
Merged

[server/auth] ensure safe returnTo param#2879
AlexTugarev merged 1 commit into
masterfrom
at/returnTo

Conversation

@AlexTugarev

@AlexTugarev AlexTugarev commented Jan 13, 2021

Copy link
Copy Markdown
Member

This PR closes an open redirect issue. AFAIK this is problem if an attacker would fake a Gitpod-like website and make people use links with redirects to it. The fake website could potentially ask user to enter sensitive information.

Allowing for Gitpod homepage URLs comes in parallel via #2692. ✔️

how to test

  1. log in & log out without errors.
  2. should login and start a workspace: http://at-returnto.staging.gitpod-dev.com/api/login?host=github.com&returnTo=http://at-returnto.staging.gitpod-dev.com/#https://github.com/gitpod-io/django-locallibrary-tutorial
  3. log out.
  4. should open the dashboard: http://at-returnto.staging.gitpod-dev.com/api/login?host=github.com&returnTo=https://github.com/gitpod-io/gitpod/pull/2879

@csweichel csweichel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works as advertised. LGTM.

@AlexTugarev
AlexTugarev merged commit 8ca431f into master Jan 13, 2021
@AlexTugarev
AlexTugarev deleted the at/returnTo branch January 13, 2021 13:45
@AlexTugarev

AlexTugarev commented Jun 22, 2021

Copy link
Copy Markdown
Member Author

Thanks for reporting, @payloadartist! 🙏🏻

Just created an update #4567 to be picked up for https://www.gitpod.io/changelog soon.

@payloadartist

payloadartist commented Jun 22, 2021

Copy link
Copy Markdown

Thanks for reporting, @payloadartist! 🙏🏻

Just created an update #4567 to be picked up for https://www.gitpod.io/changelog soon.

FYI you can credit me with my Twitter handle - https://twitter.com/payloadartist in the changelog if you want

As I already see someone credited for a security vuln

image

@payloadartist

Copy link
Copy Markdown

This was assigned CVE-2021-35206 btw

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants