From 5d8c1aa0b0d31d7aac3278c44af81e4133918508 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 15 Feb 2022 14:58:19 +0100
Subject: [PATCH] outposts/proxy: correctly check host in forward domain
 redirect

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
---
 internal/outpost/proxyv2/application/oauth.go |  5 +++--
 .../outpost/proxyv2/application/oauth_test.go | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go
index f699370eb..a018f792d 100644
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@@ -29,11 +29,12 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
 	// Check to make sure we only redirect to allowed places
 	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
 		if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
-			a.log.Warning("redirect URI did not contain external host")
+			a.log.WithField("url", u.String()).WithField("ext", a.proxyConfig.ExternalHost).Warning("redirect URI did not contain external host")
 			return "", false
 		}
 	} else {
-		if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) {
+		if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
+			a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
 			return "", false
 		}
 	}
diff --git a/internal/outpost/proxyv2/application/oauth_test.go b/internal/outpost/proxyv2/application/oauth_test.go
index ced8f2fdb..88566a304 100644
--- a/internal/outpost/proxyv2/application/oauth_test.go
+++ b/internal/outpost/proxyv2/application/oauth_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"goauthentik.io/api"
 )
 
 func TestCheckRedirectParam(t *testing.T) {
@@ -30,3 +31,21 @@ func TestCheckRedirectParam(t *testing.T) {
 	assert.Equal(t, true, ok)
 	assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
 }
+
+func TestCheckRedirectParam_Domain(t *testing.T) {
+	a := newTestApplication()
+	a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
+	a.proxyConfig.CookieDomain = api.PtrString("t.goauthentik.io")
+	req, _ := http.NewRequest("GET", "https://a.t.goauthentik.io/outpost.goauthentik.io/auth/start", nil)
+
+	rd, ok := a.checkRedirectParam(req)
+
+	assert.Equal(t, false, ok)
+	assert.Equal(t, "", rd)
+	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test", nil)
+
+	rd, ok = a.checkRedirectParam(req)
+
+	assert.Equal(t, true, ok)
+	assert.Equal(t, "https://ext.t.goauthentik.io/test", rd)
+}