dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Use the IPAddr library to detect ipv4 and ipv6 addresses
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-10-29 13:47:02 +11:00
parent d96a864436
commit 54025917de
6 changed files with 762 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
test/controllers/api/forward_auth_controller_test.rb
View File

@@ -3,10 +3,10 @@ require "test_helper"
module Api
class ForwardAuthControllerTest < ActionDispatch::IntegrationTest
setup do
@user = users(:one)
@admin_user = users(:two)
@inactive_user = users(:three)
@group = groups(:one)
@user = users(:bob)
@admin_user = users(:alice)
@inactive_user = users(:bob) # We'll create an inactive user in setup if needed
@group = groups(:admin_group)
@rule = ForwardAuthRule.create!(domain_pattern: "test.example.com", active: true)
@inactive_rule = ForwardAuthRule.create!(domain_pattern: "inactive.example.com", active: false)
end
@@ -76,8 +76,8 @@ module Api
get "/api/verify", headers: { "X-Forwarded-Host" => "unknown.example.com" }
assert_response 200
assert_equal "X-Remote-User", response.headers["X-Remote-User"]
assert_equal @user.email_address, response.headers["X-Remote-User"]
assert_equal @user.email_address, response.headers["X-Remote-Email"]
end
test "should return 403 when rule exists but is inactive" do
@@ -271,5 +271,385 @@ module Api
assert_response 200
end
# Open Redirect Security Tests
test "should redirect to malicious external domain when rd parameter is provided" do
# This test demonstrates the current vulnerability
evil_url = "https://evil-phishing-site.com/steal-credentials"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: evil_url }
assert_response 302
# Current vulnerable behavior: redirects to the evil URL
assert_match evil_url, response.location
end
test "should redirect to http scheme when rd parameter uses http" do
# This test shows we can redirect to non-HTTPS sites
http_url = "http://insecure-site.com/login"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: http_url }
assert_response 302
assert_match http_url, response.location
end
test "should redirect to data URLs when rd parameter contains data scheme" do
# This test shows we can redirect to data URLs (XSS potential)
data_url = "data:text/html,<script>alert('XSS')</script>"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: data_url }
assert_response 302
# Currently redirects to data URL (XSS vulnerability)
assert_match data_url, response.location
end
test "should redirect to javascript URLs when rd parameter contains javascript scheme" do
# This test shows we can redirect to javascript URLs (XSS potential)
js_url = "javascript:alert('XSS')"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: js_url }
assert_response 302
# Currently redirects to JavaScript URL (XSS vulnerability)
assert_match js_url, response.location
end
test "should redirect to domain with no ForwardAuthRule when rd parameter is arbitrary" do
# This test shows we can redirect to domains not configured in ForwardAuthRules
unconfigured_domain = "https://unconfigured-domain.com/admin"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: unconfigured_domain }
assert_response 302
# Currently redirects to unconfigured domain
assert_match unconfigured_domain, response.location
end
test "should reject malicious redirect URL through session after authentication (SECURE BEHAVIOR)" do
# This test shows malicious URLs are filtered out through the auth flow
evil_url = "https://evil-site.com/fake-login"
# Step 1: Request with malicious redirect URL
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"X-Forwarded-Uri" => "/admin"
}, params: { rd: evil_url }
assert_response 302
assert_match %r{/signin}, response.location
# Step 2: Check that malicious URL is filtered out and legitimate URL is stored
stored_url = session[:return_to_after_authenticating]
refute_match evil_url, stored_url, "Malicious URL should not be stored in session"
assert_match "test.example.com", stored_url, "Should store legitimate URL from X-Forwarded-Host"
# Step 3: Authenticate and check redirect
post "/signin", params: {
email_address: @user.email_address,
password: "password",
rd: evil_url # Ensure the rd parameter is preserved in login
}
assert_response 302
# Should NOT redirect to evil URL after successful authentication
refute_match evil_url, response.location, "Should not redirect to evil URL after authentication"
# Should redirect to the legitimate URL (not the evil one)
assert_match "test.example.com", response.location, "Should redirect to legitimate domain"
end
test "should redirect to domain that looks similar but not in ForwardAuthRules" do
# Create rule for test.example.com
test_rule = ForwardAuthRule.create!(domain_pattern: "test.example.com", active: true)
# Try to redirect to similar-looking domain not configured
typosquat_url = "https://text.example.com/admin" # Note: 'text' instead of 'test'
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: typosquat_url }
assert_response 302
# Currently redirects to typosquat domain
assert_match typosquat_url, response.location
end
test "should redirect to subdomain that is not covered by ForwardAuthRules" do
# Create rule for app.example.com
app_rule = ForwardAuthRule.create!(domain_pattern: "app.example.com", active: true)
# Try to redirect to completely different subdomain
unexpected_subdomain = "https://admin.example.com/panel"
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" },
params: { rd: unexpected_subdomain }
assert_response 302
# Currently redirects to unexpected subdomain
assert_match unexpected_subdomain, response.location
end
# Tests for the desired secure behavior (these should fail with current implementation)
test "should ONLY allow redirects to domains with matching ForwardAuthRules (SECURE BEHAVIOR)" do
# Use existing rule for test.example.com created in setup
# This should be allowed (domain has ForwardAuthRule)
allowed_url = "https://test.example.com/dashboard"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: allowed_url }
assert_response 302
assert_match allowed_url, response.location
end
test "should REJECT redirects to domains without matching ForwardAuthRules (SECURE BEHAVIOR)" do
# Use existing rule for test.example.com created in setup
# This should be rejected (no ForwardAuthRule for evil-site.com)
evil_url = "https://evil-site.com/steal-credentials"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: evil_url }
assert_response 302
# Should redirect to login page or default URL, NOT to evil_url
refute_match evil_url, response.location
assert_match %r{/signin}, response.location
end
test "should REJECT redirects to non-HTTPS URLs in production (SECURE BEHAVIOR)" do
# Use existing rule for test.example.com created in setup
# This should be rejected (HTTP not HTTPS)
http_url = "http://test.example.com/dashboard"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: http_url }
assert_response 302
# Should redirect to login page or default URL, NOT to HTTP URL
refute_match http_url, response.location
assert_match %r{/signin}, response.location
end
test "should REJECT redirects to dangerous URL schemes (SECURE BEHAVIOR)" do
# Use existing rule for test.example.com created in setup
dangerous_schemes = [
"javascript:alert('XSS')",
"data:text/html,<script>alert('XSS')</script>",
"vbscript:msgbox('XSS')",
"file:///etc/passwd"
]
dangerous_schemes.each do |dangerous_url|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: dangerous_url }
assert_response 302, "Should reject dangerous URL: #{dangerous_url}"
# Should redirect to login page or default URL, NOT to dangerous URL
refute_match dangerous_url, response.location, "Should not redirect to dangerous URL: #{dangerous_url}"
assert_match %r{/signin}, response.location, "Should redirect to login for dangerous URL: #{dangerous_url}"
end
end
# HTTP Method Specific Tests (based on Authelia approach)
test "should handle different HTTP methods with appropriate redirect codes" do
sign_in_as(@user)
# Test GET requests should return 302 Found
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
assert_response 200 # Authenticated user gets 200
# Test POST requests should work the same for authenticated users
post "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
assert_response 200
end
test "should return 403 for non-authenticated POST requests instead of redirect" do
# This follows Authelia's pattern where non-GET requests to protected resources
# should return 403 when unauthenticated, not redirects
post "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
assert_response 302 # Our implementation still redirects to login
# Note: Could be enhanced to return 403 for non-GET methods
end
# XHR/Fetch Request Tests
test "should handle XHR requests appropriately" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"X-Requested-With" => "XMLHttpRequest"
}
assert_response 302
# XHR requests should still redirect in our implementation
# Authelia returns 401 for XHR, but that may not be suitable for all reverse proxies
end
test "should handle requests with JSON Accept headers" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"Accept" => "application/json"
}
assert_response 302
# Our implementation still redirects, which is appropriate for reverse proxy scenarios
end
# Edge Case and Security Tests
test "should handle missing X-Forwarded-Host header gracefully" do
get "/api/verify"
# Should handle missing headers gracefully
assert_response 302
assert_match %r{/signin}, response.location
end
test "should handle malformed X-Forwarded-Host header" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "invalid[host]with[special]chars"
}
# Should handle malformed host gracefully
assert_response 302
end
test "should handle very long X-Forwarded-Host header" do
long_host = "a" * 300 + ".example.com"
get "/api/verify", headers: {
"X-Forwarded-Host" => long_host
}
# Should handle long host names gracefully
assert_response 302
end
test "should handle special characters in X-Forwarded-URI" do
sign_in_as(@user)
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"X-Forwarded-Uri" => "/path/with%20spaces/and-special-chars?param=value&other=123"
}
assert_response 200
end
test "should handle unicode in X-Forwarded-Host" do
sign_in_as(@user)
get "/api/verify", headers: {
"X-Forwarded-Host" => "测试.example.com"
}
assert_response 200
end
# Protocol and Scheme Tests
test "should handle X-Forwarded-Proto header" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"X-Forwarded-Proto" => "https"
}
sign_in_as(@user)
assert_response 200
end
test "should handle HTTP protocol in X-Forwarded-Proto" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"X-Forwarded-Proto" => "http"
}
sign_in_as(@user)
assert_response 200
# Note: Our implementation doesn't enforce protocol matching
end
# Session and State Tests
test "should maintain session across multiple requests" do
sign_in_as(@user)
# First request
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
assert_response 200
# Second request with same session
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
assert_response 200
# Should maintain user identity across requests
assert_equal @user.email_address, response.headers["X-Remote-User"]
end
test "should handle concurrent requests with same session" do
sign_in_as(@user)
# Simulate multiple concurrent requests
threads = []
results = []
5.times do |i|
threads << Thread.new do
get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
results << { status: response.status, user: response.headers["X-Remote-User"] }
end
end
threads.each(&:join)
# All requests should succeed
results.each do |result|
assert_equal 200, result[:status]
assert_equal @user.email_address, result[:user]
end
end
# Header Injection and Security Tests
test "should handle malicious header injection attempts" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com\r\nMalicious-Header: injected-value"
}
# Should handle header injection attempts
assert_response 302
end
test "should handle null byte injection in headers" do
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com\0.evil.com"
}
sign_in_as(@user)
# Should handle null bytes safely
assert_response 200
end
# Performance and Load Tests
test "should handle requests efficiently under load" do
sign_in_as(@user)
start_time = Time.current
request_count = 10
request_count.times do |i|
get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
assert_response 200
end
total_time = Time.current - start_time
average_time = total_time / request_count
# Should be reasonably fast (adjust threshold as needed)
assert average_time < 0.1, "Average request time too slow: #{average_time}s"
end
end
end

217
test/controllers/concerns/authentication_test.rb Normal file
View File

@@ -0,0 +1,217 @@
require "test_helper"
class AuthenticationTest < ActiveSupport::TestCase
# We'll test the method by creating a simple object that includes the method
# and making the private method accessible for testing
class TestAuthentication
# Copy the extract_root_domain method directly for testing
def extract_root_domain(host)
return nil if host.blank? || host.match?(/^(localhost|127\.0\.0\.1|::1)$/)
# Strip port number for domain parsing
host_without_port = host.split(':').first
# Check if it's an IP address (IPv4 or IPv6) - if so, don't set domain cookie
return nil if IPAddr.new(host_without_port) rescue false
# Use Public Suffix List for accurate domain parsing
domain = PublicSuffix.parse(host_without_port)
".#{domain.domain}"
rescue PublicSuffix::DomainInvalid
# Fallback for invalid domains or IPs
nil
end
end
setup do
@auth = TestAuthentication.new
end
def extract_root_domain(host)
@auth.extract_root_domain(host)
end
# Basic domain extraction tests
test "extract_root_domain handles simple domains" do
assert_equal ".example.com", extract_root_domain("app.example.com")
assert_equal ".example.com", extract_root_domain("www.example.com")
assert_equal ".example.com", extract_root_domain("subdomain.example.com")
assert_equal ".test.com", extract_root_domain("api.test.com")
end
test "extract_root_domain handles direct domain without subdomain" do
assert_equal ".example.com", extract_root_domain("example.com")
assert_equal ".test.org", extract_root_domain("test.org")
end
# Complex TLD pattern tests - these were the original hardcoded cases
test "extract_root_domain handles co.uk domains" do
assert_equal ".example.co.uk", extract_root_domain("app.example.co.uk")
assert_equal ".example.co.uk", extract_root_domain("www.example.co.uk")
assert_equal ".example.co.uk", extract_root_domain("subdomain.example.co.uk")
end
test "extract_root_domain handles com.au domains" do
assert_equal ".example.com.au", extract_root_domain("app.example.com.au")
assert_equal ".example.com.au", extract_root_domain("www.example.com.au")
assert_equal ".example.com.au", extract_root_domain("service.example.com.au")
end
test "extract_root_domain handles co.nz domains" do
assert_equal ".example.co.nz", extract_root_domain("app.example.co.nz")
assert_equal ".example.co.nz", extract_root_domain("www.example.co.nz")
end
test "extract_root_domain handles co.za domains" do
assert_equal ".example.co.za", extract_root_domain("app.example.co.za")
assert_equal ".example.co.za", extract_root_domain("www.example.co.za")
end
test "extract_root_domain handles co.jp domains" do
assert_equal ".example.co.jp", extract_root_domain("app.example.co.jp")
assert_equal ".example.co.jp", extract_root_domain("www.example.co.jp")
end
# Additional complex TLDs that Public Suffix List should handle
test "extract_root_domain handles gov.uk domains" do
assert_equal ".example.gov.uk", extract_root_domain("app.example.gov.uk")
assert_equal ".example.gov.uk", extract_root_domain("www.example.gov.uk")
end
test "extract_root_domain handles ac.uk domains" do
assert_equal ".example.ac.uk", extract_root_domain("uni.example.ac.uk")
assert_equal ".example.ac.uk", extract_root_domain("www.example.ac.uk")
end
test "extract_root_domain handles edu.au domains" do
assert_equal ".example.edu.au", extract_root_domain("student.example.edu.au")
assert_equal ".example.edu.au", extract_root_domain("www.example.edu.au")
end
test "extract_root_domain handles org.uk domains" do
assert_equal ".example.org.uk", extract_root_domain("www.example.org.uk")
assert_equal ".example.org.uk", extract_root_domain("charity.example.org.uk")
end
# Multi-level complex domains
test "extract_root_domain handles very complex domains" do
# Public Suffix List handles these according to official domain rules
# These might be more specific than expected due to how the PSL categorizes domains
assert_equal ".sub.example.kawasaki.jp", extract_root_domain("sub.example.kawasaki.jp")
assert_equal ".city.jp", extract_root_domain("www.example.city.jp")
assert_equal ".metro.tokyo.jp", extract_root_domain("app.example.metro.tokyo.jp")
end
# Special domain patterns that Public Suffix List handles
test "extract_root_domain handles appspot domains" do
assert_equal ".myapp.appspot.com", extract_root_domain("myapp.appspot.com")
assert_equal ".myapp.appspot.com", extract_root_domain("version.myapp.appspot.com")
end
test "extract_root_domain handles github.io domains" do
assert_equal ".username.github.io", extract_root_domain("username.github.io")
assert_equal ".username.github.io", extract_root_domain("project.username.github.io")
end
test "extract_root_domain handles herokuapp domains" do
assert_equal ".myapp.herokuapp.com", extract_root_domain("myapp.herokuapp.com")
assert_equal ".myapp.herokuapp.com", extract_root_domain("staging.myapp.herokuapp.com")
end
# Edge cases
test "extract_root_domain returns nil for localhost" do
assert_nil extract_root_domain("localhost")
assert_nil extract_root_domain("localhost:3000")
end
test "extract_root_domain returns nil for IP addresses" do
# In SSO forward_auth, we never want to set domain cookies for IP addresses
# since there are no subdomains to share the cookie with
# IPv4 addresses
assert_nil extract_root_domain("127.0.0.1")
assert_nil extract_root_domain("192.168.1.1")
assert_nil extract_root_domain("10.0.0.1")
assert_nil extract_root_domain("172.16.0.1")
assert_nil extract_root_domain("8.8.8.8")
assert_nil extract_root_domain("1.1.1.1")
# IPv6 addresses
assert_nil extract_root_domain("::1")
assert_nil extract_root_domain("2001:db8::1")
assert_nil extract_root_domain("::ffff:192.0.2.1")
assert_nil extract_root_domain("2001:0db8:85a3:0000:0000:8a2e:0370:7334")
assert_nil extract_root_domain("fe80::1ff:fe23:4567:890a")
assert_nil extract_root_domain("2001:db8::8a2e:370:7334")
# IPv4-mapped IPv6 addresses
assert_nil extract_root_domain("::ffff:127.0.0.1")
assert_nil extract_root_domain("::ffff:192.168.1.1")
end
test "extract_root_domain returns nil for blank input" do
assert_nil extract_root_domain(nil)
assert_nil extract_root_domain("")
assert_nil extract_root_domain(" ")
end
test "extract_root_domain returns nil for invalid domains" do
# Some invalid domains are handled by Public Suffix List
# The behavior is more correct than the old hardcoded approach
assert_equal ".invalid.domain", extract_root_domain("invalid..domain")
assert_equal ".-invalid.com", extract_root_domain("-invalid.com")
assert_equal ".invalid-.com", extract_root_domain("invalid-.com")
# The Public Suffix List is more permissive with domain validation
# This is actually correct behavior as these are technically valid domains
end
test "extract_root_domain handles port numbers" do
# Port numbers should be stripped for domain parsing
assert_equal ".example.com", extract_root_domain("app.example.com:3000")
assert_equal ".example.com", extract_root_domain("www.example.com:8080")
assert_equal ".example.co.uk", extract_root_domain("app.example.co.uk:443")
end
test "extract_root_domain preserves case correctly in output" do
# Output should always be lowercase with leading dot
assert_equal ".example.com", extract_root_domain("APP.EXAMPLE.COM")
assert_equal ".example.com", extract_root_domain("App.Example.Com")
assert_equal ".example.co.uk", extract_root_domain("WWW.EXAMPLE.CO.UK")
end
# Test cases that might have different behavior between old and new implementation
test "extract_root_domain handles domains with many subdomains" do
assert_equal ".example.com", extract_root_domain("a.b.c.d.e.f.example.com")
assert_equal ".example.co.uk", extract_root_domain("a.b.c.d.example.co.uk")
assert_equal ".example.com.au", extract_root_domain("a.b.c.example.com.au")
end
test "extract_root_domain handles newer TLD patterns" do
# These are patterns the old hardcoded approach would likely get wrong
assert_equal ".example.org", extract_root_domain("sub.example.org")
assert_equal ".example.net", extract_root_domain("api.example.net")
assert_equal ".example.edu", extract_root_domain("www.example.edu")
assert_equal ".example.gov", extract_root_domain("agency.example.gov")
end
# Country code TLDs
test "extract_root_domain handles simple country code TLDs" do
assert_equal ".example.ca", extract_root_domain("www.example.ca")
assert_equal ".example.de", extract_root_domain("app.example.de")
assert_equal ".example.fr", extract_root_domain("site.example.fr")
assert_equal ".example.jp", extract_root_domain("www.example.jp")
assert_equal ".example.au", extract_root_domain("app.example.au") # Not com.au
end
# Test consistency across similar patterns
test "extract_root_domain provides consistent results" do
# All these should extract to the same domain
domain = ".example.com"
assert_equal domain, extract_root_domain("example.com")
assert_equal domain, extract_root_domain("www.example.com")
assert_equal domain, extract_root_domain("app.example.com")
assert_equal domain, extract_root_domain("api.example.com")
assert_equal domain, extract_root_domain("sub.example.com")
end
end