QID 982401

QID 982401: Go (go) Security Update for github.com/oauth2-proxy/oauth2-proxy (GHSA-4mf2-f3wh-gvf2)

Security update has been released for github.com/oauth2-proxy/oauth2-proxy,github.com/oauth2-proxy/oauth2-proxy/v7 to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

_What kind of vulnerability is it? Who is impacted?_
For users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

For example, if a whitelist domain was configured for `.example.com`, the intention is that subdomains of `example.com` are allowed.
Instead, `example.com` and `badexample.com` could also match.

CVSS V3 rated as High - 6.1 severity.

CVSS V2 rated as Medium - 5.8 severity.

Solution

_Has the problem been patched? What versions should users upgrade to?_
This is fixed in version 7.0.0 onwards.Workaround:
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
Disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.

# Original Issue Posted by @semoac:

Whitelist Domain feature is not working as expected because is not matching a dot to ensure the redirect is a subdomain.

## Expected Behavior

If whitelist domain is set to `.example.com` , then `hack.alienexample.com` should be rejected as a valid redirect.

## Current Behavior

The code is removing the `dot` from `.example.com` and only checking if the redirect string end with `example.com`

## Possible Solution
Here
https://github.com/oauth2-proxy/oauth2-proxy/blob/c377466411f2aee180a732187edb638f2f7e57fb/oauthproxy.go#L661

Include the dot when checking the string:
```
strings.HasSuffix(redirectHostname, "." + domainHostname)
```

## Steps to Reproduce (for bugs)

```
package main

import (
"fmt"
"strings"
)

func validOptionalPort(port string) bool {
if port == "" || port == ":*" {
return true
}
if port[0] != ':' {
return false
}
for _, b := range port[1:] {
if b < '0' || b > '9' {
return false
}
}
return true
}

func splitHostPort(hostport string) (host, port string) {
host = hostport

colon := strings.LastIndexByte(host, ':')
if colon != -1 && validOptionalPort(host[colon:]) {
host, port = host[:colon], host[colon+1:]
}

if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
host = host[1 : len(host)-1]
}

return
}

func main() {
domain := ".example.com"
domainHostname, _ := splitHostPort(strings.TrimLeft(domain, "."))
redirectHostname := "https://hack.alienexample.com"
if (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) { fmt.Println("This should not have happen.")}
}

```

Users of `github.com/oauth2-proxy/oauth2-proxy` are advised to update to `github.com/oauth2-proxy/oauth2-proxy/v7`

Vendor References

GHSA-4mf2-f3wh-gvf2 - github.com/advisories/GHSA-4mf2-f3wh-gvf2

CVEs related to QID 982401

CVE-2021-21291 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-4mf2-f3wh-gvf2	github.com/oauth2-proxy/oauth2-proxy		github.com/advisories/GHSA-4mf2-f3wh-gvf2
GHSA-4mf2-f3wh-gvf2	github.com/oauth2-proxy/oauth2-proxy/v7		github.com/advisories/GHSA-4mf2-f3wh-gvf2

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].