-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow valid_origin? to accept subdomains #44
base: master
Are you sure you want to change the base?
Conversation
Thanks for the PR! Can you point out the section of the spec explaining what we can do (and can't!) with the origin? As this is a security-related library, we need to be extra careful with any change affecting the various checks we do. Keep in mind this library was created from the first version of the spec, now we are at level 3. Maybe some things related to |
Sure! I'm going off the W3 spec: Specifically this part:
Although re-reading the spec, this seems like a place where you sacrifice security for flexibility, as basically any subdomain becomes a vector for attack. Frankly, I'm confused why this would be allowed without some mitigating solution in the spec. What I now think might be better is is just take in a list of approved domains instead, which is also part of the spec:
|
client_origin = URI.parse(client_data.origin) | ||
challenge_origin = URI.parse(challenge.origin) | ||
|
||
if client_origin.scheme == challenge_origin.scheme && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better use the boolean and
operator here. Ensure to run Dialyzer even though I think there are some errors.
Hi again and sorry for the late reply. Thanks for the proposed contribution.
I propose all of the options: the atom I've left a few comments. Talking about origin, it would be nice if this PR could support mobile origins as well. See https://github.com/joshrieken/wax/tree/mobile-support for what need to be done. Maybe @joshrieken can help here? |
Sounds good! I can update the PR to account for all them, thanks! I'll take a look into the mobile origins as well, but may defer that depending on future conversation |
Yeah the mobile stuff might belong to another PR. Still it would be interesting to understand what was done there and why |
challenge_origin = URI.parse(challenge.origin) | ||
|
||
if client_origin.scheme == challenge_origin.scheme && | ||
String.ends_with?(client_origin.host, challenge.rp_id) do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like one of my comments didn't get through.
I think we would accept a challenge for example.com signed by evil-site-example.com. This is a serious security vulnerability.
Treating origin
must be done carefully. Please feel free to get inspiration from Phoenix https://github.com/phoenixframework/phoenix/blob/48ee8cc407f060eee1152f2c8f64bff49a6b4f15/lib/phoenix/socket/transport.ex#L583-L609
When accepting PRs for security libraries, I'd prefer the author to be a public identifiable person. It's an additional protection against introduction of vulnerabilities. Please consider creating a PR with such a profile.
I am trying to process webauth requests on my primary and subdomains. The current checks are very strict on the domain, but setting the rp_id should allow you to process subdomains as well. The change I am proposing should abide by the webauth rules about origin/rp_id and accomplish the following:
There is probably a better way to accomplish this though, open to suggestions!