From 4e58a06b8b505bf72194f9d6d220f9e7d9289621 Mon Sep 17 00:00:00 2001 From: Kyle Shockey Date: Fri, 22 Feb 2019 21:48:38 -0800 Subject: [PATCH 1/3] fix: sanitize URLs used for OAuth auth flow --- src/core/oauth2-authorize.js | 7 ++++--- test/e2e-cypress/static/documents/xss/oauth2.yaml | 5 +++++ test/e2e-cypress/tests/features/xss/oauth2.js | 15 +++++++++++++++ 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 test/e2e-cypress/static/documents/xss/oauth2.yaml create mode 100644 test/e2e-cypress/tests/features/xss/oauth2.js diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js index 0de353d2572..f819e293246 100644 --- a/src/core/oauth2-authorize.js +++ b/src/core/oauth2-authorize.js @@ -1,5 +1,5 @@ import win from "core/window" -import { btoa } from "core/utils" +import { btoa, sanitizeUrl } from "core/utils" export default function authorize ( { auth, authActions, errActions, configs, authConfigs={} } ) { let { schema, scopes, name, clientId } = auth @@ -74,8 +74,9 @@ export default function authorize ( { auth, authActions, errActions, configs, au } } - let authorizationUrl = schema.get("authorizationUrl") - let url = [authorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&") + const authorizationUrl = schema.get("authorizationUrl") + const sanitizedAuthorizationUrl = sanitizeUrl(authorizationUrl) + let url = [sanitizedAuthorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&") // pass action authorizeOauth2 and authentication data through window // to authorize with oauth2 diff --git a/test/e2e-cypress/static/documents/xss/oauth2.yaml b/test/e2e-cypress/static/documents/xss/oauth2.yaml new file mode 100644 index 00000000000..4ff4cc79990 --- /dev/null +++ b/test/e2e-cypress/static/documents/xss/oauth2.yaml @@ -0,0 +1,5 @@ +swagger: '2.0' +securityDefinitions: + a: + type: oauth2 + authorizationUrl: javascript:alert(document.domain)// diff --git a/test/e2e-cypress/tests/features/xss/oauth2.js b/test/e2e-cypress/tests/features/xss/oauth2.js new file mode 100644 index 00000000000..2d6159e9f7d --- /dev/null +++ b/test/e2e-cypress/tests/features/xss/oauth2.js @@ -0,0 +1,15 @@ +describe("XSS: OAuth2 authorizationUrl sanitization", () => { + it("should filter out a javascript URL", () => { + cy.visit("/?url=/documents/xss/oauth2.yaml") + .window() + .then(win => { + cy.stub(win, "open").as("windowOpen") + cy.get(".authorize") + .click() + .get(".modal-btn.authorize") + .click() + + cy.get("@windowOpen").should("be.calledWith", "page1.html") + }) + }) +}) From 5b8f7fda86b8e678503e3a9e54e0b2ac839f4f25 Mon Sep 17 00:00:00 2001 From: Kyle Shockey Date: Sat, 23 Feb 2019 14:04:16 -0800 Subject: [PATCH 2/3] embetter test case --- test/e2e-cypress/tests/features/xss/oauth2.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test/e2e-cypress/tests/features/xss/oauth2.js b/test/e2e-cypress/tests/features/xss/oauth2.js index 2d6159e9f7d..46486eaf217 100644 --- a/test/e2e-cypress/tests/features/xss/oauth2.js +++ b/test/e2e-cypress/tests/features/xss/oauth2.js @@ -3,13 +3,21 @@ describe("XSS: OAuth2 authorizationUrl sanitization", () => { cy.visit("/?url=/documents/xss/oauth2.yaml") .window() .then(win => { - cy.stub(win, "open").as("windowOpen") + let args = null + const stub = cy.stub(win, "open", (...callArgs) => { + args = callArgs + }).as("windowOpen") + cy.get(".authorize") .click() .get(".modal-btn.authorize") .click() + .wait(100) + .then(() => { + console.log(args) + expect(args[0]).to.match(/^about\:blank/) + }) - cy.get("@windowOpen").should("be.calledWith", "page1.html") }) }) }) From d3d62b627fe1e6643cfbae7ea1ec50dd47213fd3 Mon Sep 17 00:00:00 2001 From: Kyle Shockey Date: Sat, 23 Feb 2019 14:10:42 -0800 Subject: [PATCH 3/3] fix linter issue --- test/e2e-cypress/tests/features/xss/oauth2.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e-cypress/tests/features/xss/oauth2.js b/test/e2e-cypress/tests/features/xss/oauth2.js index 46486eaf217..3d7b727aa0a 100644 --- a/test/e2e-cypress/tests/features/xss/oauth2.js +++ b/test/e2e-cypress/tests/features/xss/oauth2.js @@ -15,7 +15,7 @@ describe("XSS: OAuth2 authorizationUrl sanitization", () => { .wait(100) .then(() => { console.log(args) - expect(args[0]).to.match(/^about\:blank/) + expect(args[0]).to.match(/^about:blank/) }) })