dkam/clinch
1
0
Fork 0
Code Issues 7 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix ForwardAuth fail-open and consent CSRF bypass

Browse Source 
Two HIGH-severity findings from the security review:

- ForwardAuth: when no host header was present, /api/verify skipped the
  application lookup and group check entirely, returning 200 with identity
  headers (including all of the user's groups). This bypassed per-domain
  access control. Now fails closed with 403, and the unreachable
  DEFAULT_HEADERS fallback (the bypass path) is removed so headers are
  always scoped to a resolved, active application.

- OIDC: the consent endpoint was in the verify_authenticity_token skip
  list, so a forged cross-site POST could silently grant OAuth scopes.
  Removed :consent from the skip list (the form already embeds the token).

Adds regression tests for both: fail-closed with no identity headers when
host is absent, and 422 on a tokenless consent POST.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dan Milne
2026-06-11 07:52:56 +10:00
parent 2843790cef
commit 703d24e4e4
4 changed files with 46 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/controllers/oidc_authorization_code_security_test.rb
View File

@@ -34,6 +34,25 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# CRITICAL SECURITY TESTS
# ====================
test "consent endpoint rejects cross-site POST without a CSRF token" do
sign_in_as(@user)
# Forgery protection is disabled in the test env by default; enable it so the
# before_action actually runs, mirroring production behaviour.
original = ActionController::Base.allow_forgery_protection
ActionController::Base.allow_forgery_protection = true
begin
# No authenticity_token param: a forged cross-site submission. Because
# :consent is NOT in the verify_authenticity_token skip list, this must be
# rejected before the action can grant any OAuth scopes.
post "/oauth/authorize/consent", params: {approve: "true"}
assert_response :unprocessable_entity
ensure
ActionController::Base.allow_forgery_protection = original
end
end
test "prevents authorization code reuse - sequential attempts" do
# Create consent
OidcUserConsent.create!(