Files

 master

/

allowlist.go

Copy path

Blame

Blame

Latest commit

 

History

History

80 lines (69 loc) · 2.23 KB

 master

/

allowlist.go

Top

File metadata and controls

• Code
• Blame

80 lines (69 loc) · 2.23 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

package validation

import (

"fmt"

"os"

"regexp"

"strings"

"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"

"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip"

)

func validateAllowlists(o *options.Options) []string {

msgs := []string{}

msgs = append(msgs, validateAuthRoutes(o)...)

msgs = append(msgs, validateAuthRegexes(o)...)

msgs = append(msgs, validateTrustedIPs(o)...)

if len(o.TrustedIPs) > 0 && o.ReverseProxy {

_, err := fmt.Fprintln(os.Stderr, "WARNING: mixing --trusted-ip with --reverse-proxy is a potential security vulnerability. An attacker can inject a trusted IP into an X-Real-IP or X-Forwarded-For header if they aren't properly protected outside of oauth2-proxy")

if err != nil {

panic(err)

}

}

return msgs

}

// validateAuthRoutes validates method=path routes passed with options.SkipAuthRoutes

func validateAuthRoutes(o *options.Options) []string {

msgs := []string{}

for _, route := range o.SkipAuthRoutes {

var regex string

parts := strings.SplitN(route, "=", 2)

if len(parts) == 1 {

regex = parts[0]

} else {

regex = parts[1]

}

_, err := regexp.Compile(regex)

if err != nil {

msgs = append(msgs, fmt.Sprintf("error compiling regex /%s/: %v", regex, err))

}

}

return msgs

}

// validateRegex validates regex paths passed with options.SkipAuthRegex

func validateAuthRegexes(o *options.Options) []string {

return validateRegexes(o.SkipAuthRegex)

}

// validateTrustedIPs validates IP/CIDRs for IP based allowlists

func validateTrustedIPs(o *options.Options) []string {

msgs := []string{}

for i, ipStr := range o.TrustedIPs {

if nil == ip.ParseIPNet(ipStr) {

msgs = append(msgs, fmt.Sprintf("trusted_ips[%d] (%s) could not be recognized", i, ipStr))

}

}

return msgs

}

// validateAPIRoutes validates regex paths passed with options.ApiRoutes

func validateAPIRoutes(o *options.Options) []string {

return validateRegexes(o.APIRoutes)

}

// validateRegexes validates all regexes and returns a list of messages in case of error

func validateRegexes(regexes []string) []string {

msgs := []string{}

for _, regex := range regexes {

_, err := regexp.Compile(regex)

if err != nil {

msgs = append(msgs, fmt.Sprintf("error compiling regex /%s/: %v", regex, err))

}

}

return msgs

}