Bug #19240: Avoid open redirect in login process - Arvados

Custom queries

All assigned issues
All issues assigned for grooming
My issues for grooming
My issues for grooming (no story pts)
Prioritized open issues

Actions

Copy link

Bug #19240

closed

Avoid open redirect in login process

Added by Peter Amstutz over 2 years ago. Updated about 2 years ago.

Status:

Resolved

Priority:

Normal

Assigned To:

Tom Clegg

Category:

API

Target version:

2022-11-09 sprint

Start date:

11/04/2022

Due date:

% Done:

100%

Estimated time:

(Total: 0.00 h)

Story points:

Release:

Arvados 2.5.0

Release relationship:

Auto

Description

Add config option to allow redirect-with-token to http[s]://ipaddr:port/ where ipaddr is in one of the reserved private IP ranges ("not recommended for production")

Subtasks 1 (0 open — 1 closed)

Task #19639: Review 19240-check-redirect

Resolved

Lucas Di Pentima

11/04/2022

Actions

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Peter Amstutz over 2 years ago

Target version changed from 2022-07-20 to 2022-08-03 Sprint

Actions

Copy link

Updated by Peter Amstutz over 2 years ago

Target version changed from 2022-08-03 Sprint to 2022-08-17 sprint

Actions

Copy link

Updated by Peter Amstutz over 2 years ago

Target version changed from 2022-08-17 sprint to 2022-08-31 sprint

Actions

Copy link

Updated by Peter Amstutz over 2 years ago

Target version changed from 2022-08-31 sprint to 2022-09-28 sprint

Actions

Copy link

Updated by Peter Amstutz over 2 years ago

Target version changed from 2022-09-28 sprint to 2022-10-12 sprint

Actions

Copy link

Updated by Peter Amstutz about 2 years ago

Target version changed from 2022-10-12 sprint to 2022-10-26 sprint

Actions

Copy link

Updated by Peter Amstutz about 2 years ago

Target version changed from 2022-10-26 sprint to 2022-11-09 sprint

Actions

Copy link

Updated by Tom Clegg about 2 years ago

Description updated (diff)

Actions

Copy link

Updated by Tom Clegg about 2 years ago

Assigned To set to Tom Clegg

Actions

Copy link

#10

Updated by Tom Clegg about 2 years ago

Status changed from New to In Progress

19240-check-redirect @ 21c7799069b13380913d0dfdd9ecc441d3af7298 -- developer-run-tests: #3354

Actions

Copy link

#11

Updated by Tom Clegg about 2 years ago

With upgrade note:

19240-check-redirect @ ff779b9f1306420462ec5898424188c88bb927a9

Actions

Copy link

#12

Updated by Lucas Di Pentima about 2 years ago

The code LGTM. There's just one suggestion:

In LoginCluster federations, the admin need to list the satellite cluster's URLs, so I think we would need one of two things:
- The easiest: Add a note about that on the upgrade notes.
- The fancier: Make controller discover the URLs, as it doesn't make sense to avoid logins on a LoginCluster.

The "fancier" may have some edge cases, like periodically polling for URL changes, and error handling, so the "easiest" alternative is fine with me, it would just add some burden to the admins

Actions

Copy link

#13

Updated by Lucas Di Pentima about 2 years ago

Addendum: I did read the added upgrade notes, but I think it would be nice to explicitly say that LoginCluster federations also need this config update.

Actions

Copy link

#14

Updated by Tom Clegg about 2 years ago

Good point. Added a bit to call out the federation case specifically.

Agree automatically recognizing remote clusters' URLs would be better, but I think we can call that an additional feature...? (We're already relying on adding these manually. I updated the relevant bits of the federation docs to a) remind to add wb2 as well as wb1 and b) use proper example domains like cluster2.example instead of cluster2.com)

19240-check-redirect @ 710dc7f830f65232389cf191028edfdfe4cefe77

Actions

Copy link

#15