Validate OAuth returnTo URLs to prevent API access

geropl · ona-agent · geropl · commit 89f028cf865d · 2025-07-24T14:16:34.000Z
- Add URL validation in authenticator to reject returnTo URLs pointing to /api paths or api. subdomains
- Move isApiPath method into validateAuthorizeReturnToUrl for better encapsulation
- Maintain existing prefix-based domain validation in getReturnToParamWithSafeBaseDomain
- Add comprehensive tests for validation functions
- Covers edge cases: case insensitivity, malformed URLs, query params

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/components/server/src/auth/authenticator.spec.ts b/components/server/src/auth/authenticator.spec.ts
@@ -0,0 +1,189 @@
+/**
+ * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import * as chai from "chai";
+import { validateAuthorizeReturnToUrl } from "./authenticator";
+import { Config } from "../config";
+import { AuthProvider } from "./auth-provider";
+
+const expect = chai.expect;
+
+describe("authenticator", function () {
+    describe("validateAuthorizeReturnToUrl", function () {
+        const mockConfig = {
+            hostUrl: {
+                url: new URL("https://gitpod.io"),
+            },
+        } as Config;
+
+        const mockAuthProvider = {} as AuthProvider;
+
+        describe("valid URLs", function () {
+            it("should return true for valid URLs from configured domain", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/dashboard",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.true;
+            });
+
+            it("should return true for valid URLs from www.gitpod.io", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://www.gitpod.io/pricing",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.true;
+            });
+
+            it("should return false for URLs with subdomain that don't match prefix", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://app.gitpod.io/workspaces",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+        });
+
+        describe("invalid URLs - API paths", function () {
+            it("should return false for URLs with /api path", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/api/authorize",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with /api path", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/api/users",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with /api/ path", function () {
+                const result = validateAuthorizeReturnToUrl("https://gitpod.io/api/", mockConfig, mockAuthProvider);
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with /API path (case insensitive)", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/API/users",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with /api/callback path", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/api/callback",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with api. subdomain", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://api.gitpod.io/users",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with API. subdomain (case insensitive)", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://API.gitpod.io/users",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with api. subdomain and /callback path", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://api.gitpod.io/callback",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+        });
+
+        describe("invalid URLs - external domains", function () {
+            it("should return false for URLs from external domains", function () {
+                const result = validateAuthorizeReturnToUrl("https://evil.com/dashboard", mockConfig, mockAuthProvider);
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs that look similar but are external", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io.evil.com/dashboard",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.false;
+            });
+        });
+
+        describe("malformed URLs", function () {
+            it("should return false for malformed URLs", function () {
+                const result = validateAuthorizeReturnToUrl("not-a-url", mockConfig, mockAuthProvider);
+                expect(result).to.be.false;
+            });
+
+            it("should return false for URLs with invalid protocol", function () {
+                const result = validateAuthorizeReturnToUrl("javascript:alert('xss')", mockConfig, mockAuthProvider);
+                expect(result).to.be.false;
+            });
+        });
+
+        describe("edge cases", function () {
+            it("should return true for URLs with query parameters", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/dashboard?tab=workspaces",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.true;
+            });
+
+            it("should return true for URLs with fragments", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/dashboard#workspaces",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.true;
+            });
+
+            it("should return true for URLs with 'api' in query parameter but not in path", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/dashboard?redirect=/api",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.true;
+            });
+
+            it("should return true for URLs with 'api' in path but not starting with /api", function () {
+                const result = validateAuthorizeReturnToUrl(
+                    "https://gitpod.io/graphql-api",
+                    mockConfig,
+                    mockAuthProvider,
+                );
+                expect(result).to.be.true;
+            });
+        });
+    });
+});
diff --git a/components/server/src/auth/authenticator.ts b/components/server/src/auth/authenticator.ts
@@ -18,6 +18,7 @@ import { UserService } from "../user/user-service";
 import { AuthFlow, AuthProvider } from "./auth-provider";
 import { HostContextProvider } from "./host-context-provider";
 import { SignInJWT } from "./jwt";
+import { getReturnToParamWithSafeBaseDomain } from "../express-util";
 
 @injectable()
 export class Authenticator {
@@ -239,6 +240,14 @@ export class Authenticator {
             return;
         }
 
+        // Validate returnTo URL
+        const valid = validateAuthorizeReturnToUrl(returnTo, this.config, authProvider);
+        if (!valid) {
+            log.info(`Bad request: invalid returnTo URL.`, { "authorize-flow": true });
+            res.redirect(this.getSorryUrl(`Bad request: invalid returnTo URL.`));
+            return;
+        }
+
         // For non-verified org auth provider, ensure user is an owner of the org
         if (!authProvider.info.verified && authProvider.info.organizationId) {
             const member = await this.teamDb.findTeamMembership(user.id, authProvider.info.organizationId);
@@ -322,3 +331,35 @@ export class Authenticator {
         return this.config.hostUrl.asSorry(message).toString();
     }
 }
+
+// Whether the passed URL is a valid returnTo URL for OAuth authorization
+export function validateAuthorizeReturnToUrl(returnTo: string, config: Config, authProvider: AuthProvider): boolean {
+    function isApiPath(url: string): boolean {
+        try {
+            const parsedUrl = new URL(url);
+
+            // Check if hostname starts with "api."
+            if (parsedUrl.hostname.toLowerCase().startsWith("api.")) {
+                return true;
+            }
+
+            // Check if path starts with "/api"
+            if (parsedUrl.pathname.toLowerCase().startsWith("/api")) {
+                return true;
+            }
+
+            return false;
+        } catch {
+            // If URL parsing fails, consider it invalid
+            return true;
+        }
+    }
+
+    // Reject URLs that point to API endpoints
+    if (isApiPath(returnTo)) {
+        return false;
+    }
+
+    const validUrl = getReturnToParamWithSafeBaseDomain(returnTo, config.hostUrl.url);
+    return validUrl !== undefined;
+}
diff --git a/components/server/src/express-util.spec.ts b/components/server/src/express-util.spec.ts
@@ -5,7 +5,7 @@
  */
 
 import * as chai from "chai";
-import { isAllowedWebsocketDomain } from "./express-util";
+import { isAllowedWebsocketDomain, getReturnToParamWithSafeBaseDomain } from "./express-util";
 const expect = chai.expect;
 
 describe("express-util", function () {
@@ -47,4 +47,82 @@ describe("express-util", function () {
             expect(result).to.be.false;
         });
     });
+
+    describe("getReturnToParamWithSafeBaseDomain", function () {
+        const configuredBaseDomain = new URL("https://gitpod.io");
+
+        describe("valid URLs", function () {
+            it("should allow URLs from configured base domain", function () {
+                const result = getReturnToParamWithSafeBaseDomain("https://gitpod.io/dashboard", configuredBaseDomain);
+                expect(result).to.equal("https://gitpod.io/dashboard");
+            });
+
+            it("should allow URLs from www.gitpod.io", function () {
+                const result = getReturnToParamWithSafeBaseDomain(
+                    "https://www.gitpod.io/pricing",
+                    configuredBaseDomain,
+                );
+                expect(result).to.equal("https://www.gitpod.io/pricing");
+            });
+
+            it("should reject URLs with subdomain that don't match prefix", function () {
+                const result = getReturnToParamWithSafeBaseDomain(
+                    "https://app.gitpod.io/workspaces",
+                    configuredBaseDomain,
+                );
+                expect(result).to.be.undefined;
+            });
+
+            it("should handle undefined returnToURL", function () {
+                const result = getReturnToParamWithSafeBaseDomain(undefined, configuredBaseDomain);
+                expect(result).to.be.undefined;
+            });
+
+            it("should handle empty returnToURL", function () {
+                const result = getReturnToParamWithSafeBaseDomain("", configuredBaseDomain);
+                expect(result).to.be.undefined;
+            });
+        });
+
+        describe("invalid URLs - external domains", function () {
+            it("should reject URLs from external domains", function () {
+                const result = getReturnToParamWithSafeBaseDomain("https://evil.com/dashboard", configuredBaseDomain);
+                expect(result).to.be.undefined;
+            });
+
+            it("should reject URLs that look similar but are external", function () {
+                const result = getReturnToParamWithSafeBaseDomain(
+                    "https://gitpod.io.evil.com/dashboard",
+                    configuredBaseDomain,
+                );
+                expect(result).to.be.undefined;
+            });
+        });
+
+        describe("edge cases", function () {
+            it("should allow URLs with query parameters", function () {
+                const result = getReturnToParamWithSafeBaseDomain(
+                    "https://gitpod.io/dashboard?tab=workspaces",
+                    configuredBaseDomain,
+                );
+                expect(result).to.equal("https://gitpod.io/dashboard?tab=workspaces");
+            });
+
+            it("should allow URLs with fragments", function () {
+                const result = getReturnToParamWithSafeBaseDomain(
+                    "https://gitpod.io/dashboard#workspaces",
+                    configuredBaseDomain,
+                );
+                expect(result).to.equal("https://gitpod.io/dashboard#workspaces");
+            });
+
+            it("should allow URLs with 'api' in path but not starting with /api", function () {
+                const result = getReturnToParamWithSafeBaseDomain(
+                    "https://gitpod.io/graphql-api",
+                    configuredBaseDomain,
+                );
+                expect(result).to.equal("https://gitpod.io/graphql-api");
+            });
+        });
+    });
 });
diff --git a/components/server/src/express-util.ts b/components/server/src/express-util.ts
@@ -159,3 +159,26 @@ export function toClientHeaderFields(expressReq: express.Request): ClientHeaderF
         clientRegion: takeFirst(expressReq.headers["x-glb-client-region"]),
     };
 }
+
+export function getReturnToParamWithSafeBaseDomain(
+    returnToURL: string | undefined,
+    configuredBaseDomain: URL,
+): string | undefined {
+    function urlStartsWith(url: string, prefixUrl: string): boolean {
+        prefixUrl += prefixUrl.endsWith("/") ? "" : "/";
+        return url.toLowerCase().startsWith(prefixUrl.toLowerCase());
+    }
+
+    if (!returnToURL) {
+        return undefined;
+    }
+
+    if (
+        urlStartsWith(returnToURL, configuredBaseDomain.toString()) ||
+        urlStartsWith(returnToURL, "https://www.gitpod.io")
+    ) {
+        return returnToURL;
+    }
+
+    return;
+}
diff --git a/components/server/src/user/user-controller.ts b/components/server/src/user/user-controller.ts
diff --git a/components/server/src/util/featureflags.ts b/components/server/src/util/featureflags.ts
