[BUG] prevent removing session cookie when redirect_uri query contains ://

2024-11-09 16:55:16 +00:00 · 2024-03-07 10:50:04 +01:00 · 2024-03-07 10:50:04 +01:00 · ecfcbcb19f
parent b9e27b64e6
commit ecfcbcb19f
1 changed files with 58 additions and 0 deletions
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@ -470,6 +470,64 @@ func TestSignInOAuthCallbackSignIn(t *testing.T) {
 	assert.Greater(t, userAfterLogin.LastLoginUnix, userGitLab.LastLoginUnix)
 }

+func TestSignInOAuthCallbackRedirectToEscaping(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	//
+	// OAuth2 authentication source GitLab
+	//
+	gitlabName := "gitlab"
+	gitlab := addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName))
+
+	//
+	// Create a user as if it had been previously been created by the GitLab
+	// authentication source.
+	//
+	userGitLabUserID := "5678"
+	userGitLab := &user_model.User{
+		Name:        "gitlabuser",
+		Email:       "gitlabuser@example.com",
+		Passwd:      "gitlabuserpassword",
+		Type:        user_model.UserTypeIndividual,
+		LoginType:   auth_model.OAuth2,
+		LoginSource: gitlab.ID,
+		LoginName:   userGitLabUserID,
+	}
+	defer createUser(context.Background(), t, userGitLab)()
+
+	//
+	// A request for user information sent to Goth will return a
+	// goth.User exactly matching the user created above.
+	//
+	defer mockCompleteUserAuth(func(res http.ResponseWriter, req *http.Request) (goth.User, error) {
+		return goth.User{
+			Provider: gitlabName,
+			UserID:   userGitLabUserID,
+			Email:    userGitLab.Email,
+		}, nil
+	})()
+	req := NewRequest(t, "GET", fmt.Sprintf("/user/oauth2/%s/callback?code=XYZ&state=XYZ", gitlabName))
+	req.AddCookie(&http.Cookie{
+		Name:  "redirect_to",
+		Value: "/login/oauth/authorize?redirect_uri=https%3A%2F%2Ftranslate.example.org",
+		Path:  "/",
+	})
+	resp := MakeRequest(t, req, http.StatusSeeOther)
+
+	hasNewSessionCookie := false
+	sessionCookieName := setting.SessionConfig.CookieName
+	for _, c := range resp.Result().Cookies() {
+		if c.Name == sessionCookieName {
+			hasNewSessionCookie = true
+			break
+		}
+		t.Log("Got cookie", c.Name)
+	}
+
+	assert.True(t, hasNewSessionCookie, "Session cookie %q is missing", sessionCookieName)
+	assert.Equal(t, "/login/oauth/authorize?redirect_uri=https://translate.example.org", test.RedirectURL(resp))
+}
+
 func TestSignUpViaOAuthWithMissingFields(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	// enable auto-creation of accounts via OAuth2