proxy: restrict programmatic URLs to localhost (#2049)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-05-12 08:37:38 +02:00 · 2021-04-01 10:04:49 -04:00 · 2021-04-01 10:04:49 -04:00 · c7d243d742
commit c7d243d742
parent 0635c838c9
14 changed files with 822 additions and 126 deletions
--- a/integration/internal/flows/flows.go
+++ b/integration/internal/flows/flows.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"strconv"
 	"strings"
@ -87,10 +88,15 @@ func Authenticate(ctx context.Context, client *http.Client, url *url.URL, option
 	originalHostname := url.Hostname()
 	var err error

+	// Serve a local callback for programmatic redirect flow
+	srv := httptest.NewUnstartedServer(http.RedirectHandler(url.String(), http.StatusFound))
+	defer srv.Close()
+
 	if cfg.apiPath != "" {
+		srv.Start()
 		apiLogin := url
 		q := apiLogin.Query()
-		q.Set(urlutil.QueryRedirectURI, url.String())
+		q.Set(urlutil.QueryRedirectURI, srv.URL)
 		apiLogin.RawQuery = q.Encode()

 		apiLogin.Path = cfg.apiPath
@ -225,6 +231,22 @@ func Authenticate(ctx context.Context, client *http.Client, url *url.URL, option
 		return nil, fmt.Errorf("expected redirect to %s: %w", originalHostname, err)
 	}

+	// Programmatic flow: Follow redirect from local callback
+	if cfg.apiPath != "" {
+		req, err = requestFromRedirectResponse(ctx, res, req)
+		if err != nil {
+			return nil, fmt.Errorf("expected redirect to %s: %w", srv.URL, err)
+		}
+		res, err = client.Do(req)
+		if err != nil {
+			return nil, err
+		}
+		req, err = requestFromRedirectResponse(ctx, res, req)
+		if err != nil {
+			return nil, fmt.Errorf("expected redirect to %s: %w", originalHostname, err)
+		}
+	}
+
 	return client.Do(req)
 }