From 72708c748c949c3a5129f79a696c0712b486fecc Mon Sep 17 00:00:00 2001 From: Colin Adler Date: Mon, 4 Mar 2024 18:38:15 +0000 Subject: [PATCH 1/2] chore: add patch notes for v2.7.3 --- docs/changelogs/v2.7.3.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/changelogs/v2.7.3.md diff --git a/docs/changelogs/v2.7.3.md b/docs/changelogs/v2.7.3.md new file mode 100644 index 0000000000000..7839048429196 --- /dev/null +++ b/docs/changelogs/v2.7.3.md @@ -0,0 +1,20 @@ +## Changelog + +All users are recommended to upgrade to a version that patches +[GHSA-7cc2-r658-7xpf](https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf) +as soon as possible if they are using OIDC authentication with the +`CODER_OIDC_EMAIL_DOMAIN` setting. + +### Security + +- Fixes [GHSA-7cc2-r658-7xpf](https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf) + +Compare: [`v2.7.2...v2.7.3`](https://github.com/coder/coder/compare/v2.7.2...v2.7.3) + +## Container image + +- `docker pull ghcr.io/coder/coder:v2.7.3` + +## Install/upgrade + +Refer to our docs to [install](https://coder.com/docs/v2/latest/install) or [upgrade](https://coder.com/docs/v2/latest/admin/upgrade) Coder, or use a release asset below. From 2ba84911f8b02605e5958d5e4a2fe3979ec50b31 Mon Sep 17 00:00:00 2001 From: Colin Adler Date: Mon, 4 Mar 2024 11:52:03 -0600 Subject: [PATCH 2/2] Merge pull request from GHSA-7cc2-r658-7xpf This fixes a vulnerability with the `CODER_OIDC_EMAIL_DOMAIN` option, where users with a superset of the allowed email domain would be allowed to login. For example, given `CODER_OIDC_EMAIL_DOMAIN=google.com`, a user would be permitted entry if their email domain was `colin-google.com`. (cherry picked from commit 4439a920e454a82565e445e4376c669e3b89591c) --- coderd/userauth.go | 12 ++++++++++-- coderd/userauth_test.go | 11 +++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index 4c160c883e6e1..51fb31e0ee9ce 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -906,15 +906,23 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { if len(api.OIDCConfig.EmailDomain) > 0 { ok = false + emailSp := strings.Split(email, "@") + if len(emailSp) == 1 { + httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ + Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain), + }) + return + } + userEmailDomain := emailSp[len(emailSp)-1] for _, domain := range api.OIDCConfig.EmailDomain { - if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) { + if strings.EqualFold(userEmailDomain, domain) { ok = true break } } if !ok { httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ - Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain), + Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain), }) return } diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go index fe6ded1e901b1..63e94deef92dc 100644 --- a/coderd/userauth_test.go +++ b/coderd/userauth_test.go @@ -664,6 +664,17 @@ func TestUserOIDC(t *testing.T) { "kwc.io", }, StatusCode: http.StatusOK, + }, { + Name: "EmailDomainSubset", + IDTokenClaims: jwt.MapClaims{ + "email": "colin@gmail.com", + "email_verified": true, + }, + AllowSignups: true, + EmailDomain: []string{ + "mail.com", + }, + StatusCode: http.StatusForbidden, }, { Name: "EmptyClaims", IDTokenClaims: jwt.MapClaims{},