-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preserve query when building redirect (fix for #695) #696
Conversation
@@ -1678,6 +1678,11 @@ func TestGetRedirect(t *testing.T) { | |||
url: "/foo/bar", | |||
expectedRedirect: "/foo/bar", | |||
}, | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a fragment URI test to the table as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the expected output here? Fragments aren't sent by a browser as part of a request so I don't think a redirect URL could ever contain one could it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At first I actually used a fragment, but I've found in my testing that the fragment is reapplied by the browser (chrome) after redirect. This doc seems to indicate Fragment is stripped, as @JoelSpeed mentioned: https://golang.org/pkg/net/url/#ParseRequestURI
At first I had a fragment in this test case, but then I needed this change to add fragment because URL.RequestURI() stripped it:
diff --git a/oauthproxy.go b/oauthproxy.go
index 4b310b9..5fa2572 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -580,7 +580,12 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
redirect = req.Form.Get("rd")
}
if !p.IsValidRedirect(redirect) {
- redirect = req.URL.Path
+ // Use RequestURI to preserve ?query
+ redirect = req.URL.RequestURI()
+ // RequestURI() will not provide a fragment if present, so grab that here
+ if req.URL.Fragment != "" {
+ redirect += "#" + req.URL.Fragment
+ }
if strings.HasPrefix(redirect, p.ProxyPrefix) {
redirect = "/"
}
I think this code would only be needed to satisfy tests, but not really used at runtime. Let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Intestering. I didn't realize that's how it worked under the hood. TIL 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good find. Thanks for the PR!
Overall looks good. Can you add a /fragment#blah
test case and go ahead and add an entry to the CHANGELOG with this PR's link & description?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, will wait for @NickMeves to approve before merge though, to allow for continued discussion of fragments
CHANGELOG.md
Outdated
@@ -4,6 +4,7 @@ | |||
|
|||
## Important Notes | |||
|
|||
- [#696](https://github.com/oauth2-proxy/oauth2-proxy/pull/696) Preserve query when building redirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this line down to the ## Changes since v6.0.0
section (starting on line 13)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, yeah that makes more sense. Fixed in latest update. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @avoltz
Description
Use URL.RequestURI() in GetRedirect() to preserve any query string
Note: If you cherry-pick just the unit test from this branch the UT will express the same behavior seen in #695
Motivation and Context
Fixes: #695
How Has This Been Tested?
Added unit test for a request with querystring present.
Also built a new oauth2-proxy with these changes and ran it in my env. Confirmed that the redirect works as expected behind the reverse proxy (as described in the linked bug).
Checklist:
I'm not sure if these checkbox items apply, but let me know.