diff --git a/coderd/userauth.go b/coderd/userauth.go index 4c160c883e6e1..51fb31e0ee9ce 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -906,15 +906,23 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { if len(api.OIDCConfig.EmailDomain) > 0 { ok = false + emailSp := strings.Split(email, "@") + if len(emailSp) == 1 { + httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ + Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain), + }) + return + } + userEmailDomain := emailSp[len(emailSp)-1] for _, domain := range api.OIDCConfig.EmailDomain { - if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) { + if strings.EqualFold(userEmailDomain, domain) { ok = true break } } if !ok { httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ - Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain), + Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain), }) return } diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go index fe6ded1e901b1..63e94deef92dc 100644 --- a/coderd/userauth_test.go +++ b/coderd/userauth_test.go @@ -664,6 +664,17 @@ func TestUserOIDC(t *testing.T) { "kwc.io", }, StatusCode: http.StatusOK, + }, { + Name: "EmailDomainSubset", + IDTokenClaims: jwt.MapClaims{ + "email": "colin@gmail.com", + "email_verified": true, + }, + AllowSignups: true, + EmailDomain: []string{ + "mail.com", + }, + StatusCode: http.StatusForbidden, }, { Name: "EmptyClaims", IDTokenClaims: jwt.MapClaims{}, diff --git a/docs/changelogs/v2.7.3.md b/docs/changelogs/v2.7.3.md new file mode 100644 index 0000000000000..7839048429196 --- /dev/null +++ b/docs/changelogs/v2.7.3.md @@ -0,0 +1,20 @@ +## Changelog + +All users are recommended to upgrade to a version that patches +[GHSA-7cc2-r658-7xpf](https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf) +as soon as possible if they are using OIDC authentication with the +`CODER_OIDC_EMAIL_DOMAIN` setting. + +### Security + +- Fixes [GHSA-7cc2-r658-7xpf](https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf) + +Compare: [`v2.7.2...v2.7.3`](https://github.com/coder/coder/compare/v2.7.2...v2.7.3) + +## Container image + +- `docker pull ghcr.io/coder/coder:v2.7.3` + +## Install/upgrade + +Refer to our docs to [install](https://coder.com/docs/v2/latest/install) or [upgrade](https://coder.com/docs/v2/latest/admin/upgrade) Coder, or use a release asset below.