-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for a validation regex for the next_link query parameter #285
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, though I'm slightly concerned that a regex is a bit hard to use securely. For example, you need to check the link is https?
rather than javascript or data; and http://server\.com.*
is insecure, because it matches http://server.com.phishing.site/pwnmydataplease
. https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md#validating-urls specifically advises against using a regex due to this sort of footgun.
would a whitelist of domains serve the same purpose but be harder to mess up?
This sounds good, thanks for looking into how easy it is to mess this up. So a whitelist of domains looking something like:
And then building a regex that looks like |
why build a regex? Follow the advice at https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md#validating-urls:
Obligatory jwz quote:
|
6465db3
to
795f85f
Compare
795f85f
to
0b1e169
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
otherwise seems sane I think.
…omain whitelist (#8275) This is a config option ported over from DINUM's Sydent: matrix-org/sydent#285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to #8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
…omain whitelist (#8275) This is a config option ported over from DINUM's Sydent: matrix-org/sydent#285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to matrix-org/synapse#8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
Allows setting a regex to validate the
next_link
query parameter on creating and validating 3pid validation sessions.CI is expected to fail :/