[arvados] updated: 2.1.0-3023-gbd25fd958
git repository hosting
git at public.arvados.org
Tue Nov 8 14:22:36 UTC 2022
Summary of changes:
lib/config/config.default.yml | 6 +++---
lib/controller/localdb/login.go | 3 +++
lib/controller/localdb/login_oidc_test.go | 7 ++++---
3 files changed, 10 insertions(+), 6 deletions(-)
via bd25fd95831117fe70864f1d03a9504b68c85ba8 (commit)
via f68ba06c5e85b748f13f723373e1fbe79fa8e563 (commit)
from e2149a153e3432c24320b7574934a5f1f4040df7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit bd25fd95831117fe70864f1d03a9504b68c85ba8
Merge: e2149a153 f68ba06c5
Author: Tom Clegg <tom at curii.com>
Date: Tue Nov 8 09:22:01 2022 -0500
Merge branch '19240-check-redirect'
refs #19240
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
commit f68ba06c5e85b748f13f723373e1fbe79fa8e563
Author: Tom Clegg <tom at curii.com>
Date: Tue Nov 8 09:21:49 2022 -0500
19240: Treat localhost as a private-network client.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index fd91442db..09c068a0b 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -893,9 +893,9 @@ Clusters:
TrustedClients:
SAMPLE: {}
- # Treat any origin whose host part is a private IP address
- # (e.g., http://10.0.0.123/) as if it were listed in
- # TrustedClients.
+ # Treat any origin whose host part is "localhost" or a private
+ # IP address (e.g., http://10.0.0.123:3000/) as if it were
+ # listed in TrustedClients.
#
# Intended only for test/development use. Not appropriate for
# production use.
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 866db0866..a1ac2c55b 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -186,6 +186,9 @@ func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) erro
return nil
}
if cluster.Login.TrustPrivateNetworks {
+ if u.Hostname() == "localhost" {
+ return nil
+ }
if ip := net.ParseIP(u.Hostname()); len(ip) > 0 {
for _, n := range privateNetworks {
if n.Contains(ip) {
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 49629bb22..0fe3bdf7f 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -669,14 +669,15 @@ func (s *OIDCLoginSuite) TestValidateLoginRedirectTarget(c *check.C) {
{true, false, "https://app.example.com/"},
{true, false, "https://app.example.com:443/foo?bar=baz"},
// non-listed hostname => deny (regardless of TrustPrivateNetworks)
- {false, false, "https://localhost/"},
- {false, true, "https://localhost/"},
+ {false, false, "https://bad.example/"},
{false, true, "https://bad.example/"},
// non-listed non-private IP addr => deny (regardless of TrustPrivateNetworks)
{false, true, "https://1.2.3.4/"},
{false, true, "https://1.2.3.4/"},
{false, true, "https://[ab::cd]:1234/"},
- // non-listed private IP addr => accept only if TrustPrivateNetworks is set
+ // localhost or non-listed private IP addr => accept only if TrustPrivateNetworks is set
+ {false, false, "https://localhost/"},
+ {true, true, "https://localhost/"},
{false, false, "https://[10.9.8.7]:80/foo"},
{true, true, "https://[10.9.8.7]:80/foo"},
{false, false, "https://[::1]:80/foo"},
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list