New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attack against user session with omniauth.origin #910
Comments
Unless there's something that I'm missing, this check is typically handled through Rack::Session::Cookie: ActionDispatch::Cookies::CookieJar |
@tmilewski I'm not quite sure what you mean. If you're saying that the Cookie(Jar) code notices that the cookie is > 4k and raises an exception, then yes, it does. What I'm saying is that OmniAuth makes it easy for other parties (other than the application itself, I mean) to cause this exception by sending the user to This, by itself, is not a huge deal; it's just annoying. But: Let's say you're using the ActiveRecord session store, and someone repeatedly initiates a new session and goes to Also, the purpose of So OmniAuth actually makes it more difficult to (safely) save the user's location than it would be if it did not store But if you choose the second option and you're using a cookie store for your sessions, you need to worry about the fact that you're now trying to put two, potentially large URLs in the session, even though you only care about one of them. In which case you could add a setup phase proc that does something like this: setup: -> (env) {
request = Rack::Request.new(env)
request.update_param("origin", "X")
} Because if you put the empty string in This isn't just a theoretical scenario. We experienced a cookie overflow for precisely this reason. At the time, we didn't know that OmniAuth was already storing the HTTP_REFERER value, and we thought, at first, that it would be a good idea to use the That said, it's entirely possible that I'm missing something important here, and that there's a very simple way to use |
@tmilewski Yes, that's much more convenient -- thank you! (I'd argue that the default behavior should be that there is no origin param, but I understand that that wouldn't be backwards-compatible.) |
@97jaz I agree with you that the default shouldn't include |
Pushed as Thanks! |
Thank you, @tmilewski! |
Please complete all sections.
Configuration
omniauth-auth0
2.4.2
rails-5.1.4
OS X
,Linux
Expected Behavior
Omniauth shouldn't allow untrusted parties to populate the user session with arbitrary data by blindly trusting the contents of the
origin
query parameter in aGET
to/auth/<provider>
.Actual Behavior
Omniauth puts the contents of the
origin
query parameter into the user's session.If the application is using cookies for session storage, it is trivially easy to overflow a user's session cookie by redirecting them to
/auth/<provider>?origin=<string longer than 4k>
. (Or, use a value that gets the session cookie close to, but not over, the 4k limit, so that auth succeeds, but any attempt to put anything into the user's session after that causes it to overflow.)If the application is using different session storage, it opens a possible DOS attack against the storage layer.
Steps to Reproduce
Navigate to
/auth/<provider>?origin=<long string>
.--
Maybe I've missed some important aspect of how this feature works, but it seems to me that saving the user's location is much easier to do securely in the application layer, rather than the middleware layer.
The text was updated successfully, but these errors were encountered: