External redirects allowed

[bengerman13]

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

Stratos should validate redirects passed as query parameters on login

Actual behaviour

Stratos redirects to any url upon login

Steps to reproduce the behavior

1. log in to stratos
2. go to https://your stratos url/pp/v1/auth/sso_login?state=some url that is not stratos

Context

This is a security vulnerability.
An attacker could use a specially-crafted url that looks trusted to a user. When the user clicks on the url, they could be taken to a nefarious site. This can also make phishing attempts more convincing by using trusted urls.
More details on why this is bad available from OWASP

Possible Implementation

I think this is happening here: https://github.com/cloudfoundry-incubator/stratos/blob/v2-master/src/jetstream/auth.go#L196

I think the best implementation here is to have a whitelist of safe redirect hosts, or to not follow redirects from the url at all.

[richard-cox]

Hi @bengerman13 , thanks for raising this issue. This looks like something we should fix and will have a look in our next sprint (due to start next week).

[bengerman13]

Thanks @richard-cox!

[siennathesane]

@richard-cox any update on this?

[nwmac]

We plan to add an env var that specifies a whitelist of URLS that can be redirected to. This can be configured in the manifest or via env vars depending on how Stratos is deployed. We will check SSO redirects match this whitelist if one is set.

@mxplusb Seem reasonable?

[siennathesane]

Works for me! Thanks.