mirror of
https://github.com/bitwarden/server.git
synced 2025-02-01 23:31:41 +01:00
Prevent XSS possibility from SSO SAML Service URLs (#1691)
* validate sso service urls for HTML meta chars * also check for double quotes
This commit is contained in:
Kyle Spearrin
GitHub
parent
68e20fe649
commit
10c5a29c47
@ -159,6 +159,25 @@ namespace Bit.Core.Models.Api
|
||||
yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleSignOnServiceUrlValidationError"),
|
||||
new[] { nameof(IdpSingleSignOnServiceUrl) });
|
||||
}
|
||||
|
||||
if (ContainsHtmlMetaCharacters(IdpSingleSignOnServiceUrl))
|
||||
{
|
||||
yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleSignOnServiceUrlInvalid"),
|
||||
new[] { nameof(IdpSingleSignOnServiceUrl) });
|
||||
}
|
||||
|
||||
if (ContainsHtmlMetaCharacters(IdpArtifactResolutionServiceUrl))
|
||||
{
|
||||
yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpArtifactResolutionServiceUrlInvalid"),
|
||||
new[] { nameof(IdpArtifactResolutionServiceUrl) });
|
||||
}
|
||||
|
||||
if (ContainsHtmlMetaCharacters(IdpSingleLogoutServiceUrl))
|
||||
{
|
||||
yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleLogoutServiceUrlInvalid"),
|
||||
new[] { nameof(IdpSingleLogoutServiceUrl) });
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(IdpX509PublicCert))
|
||||
{
|
||||
// Validate the certificate is in a valid format
|
||||
@ -240,5 +259,14 @@ namespace Bit.Core.Models.Api
|
||||
string.Empty,
|
||||
RegexOptions.Multiline | RegexOptions.IgnoreCase | RegexOptions.CultureInvariant);
|
||||
}
|
||||
|
||||
private bool ContainsHtmlMetaCharacters(string url)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(url))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return Regex.IsMatch(url, "[<>\"]");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -442,19 +442,19 @@
|
||||
<data name="RequestId" xml:space="preserve">
|
||||
<value>Request ID</value>
|
||||
</data>
|
||||
<data name="Redirecting">
|
||||
<data name="Redirecting" xml:space="preserve">
|
||||
<value>Redirecting</value>
|
||||
</data>
|
||||
<data name="RedirectingMessage">
|
||||
<data name="RedirectingMessage" xml:space="preserve">
|
||||
<value>You are now being returned to the application. Once complete, you may close this tab.</value>
|
||||
</data>
|
||||
<data name="IfIdpWantAuthnRequestsSigned">
|
||||
<data name="IfIdpWantAuthnRequestsSigned" xml:space="preserve">
|
||||
<value>If IdP Wants Authn Requests Signed</value>
|
||||
</data>
|
||||
<data name="Always">
|
||||
<data name="Always" xml:space="preserve">
|
||||
<value>Always</value>
|
||||
</data>
|
||||
<data name="Never">
|
||||
<data name="Never" xml:space="preserve">
|
||||
<value>Never</value>
|
||||
</data>
|
||||
<data name="IdpX509PublicCertValidationError" xml:space="preserve">
|
||||
@ -466,33 +466,33 @@
|
||||
<data name="IdpX509PublicCertCryptographicExceptionValidationError" xml:space="preserve">
|
||||
<value>The IdP public certificate provided does not appear to be a valid certificate, please ensure this is a valid, Base64 encoded PEM or CER format public certificate valid for signing: {0}</value>
|
||||
</data>
|
||||
<data name="CopyCallbackPath">
|
||||
<data name="CopyCallbackPath" xml:space="preserve">
|
||||
<value>Copy the OIDC callback path to your clipboard</value>
|
||||
</data>
|
||||
<data name="CopySignedOutCallbackPath">
|
||||
<data name="CopySignedOutCallbackPath" xml:space="preserve">
|
||||
<value>Copy the OIDC signed out callback path to your clipboard</value>
|
||||
</data>
|
||||
<data name="CopySpEntityId">
|
||||
<data name="CopySpEntityId" xml:space="preserve">
|
||||
<value>Copy the SP Entity Id to your clipboard</value>
|
||||
</data>
|
||||
<data name="CopySpMetadataUrl">
|
||||
<data name="CopySpMetadataUrl" xml:space="preserve">
|
||||
<value>Copy the SAML 2.0 Metadata URL to your clipboard</value>
|
||||
</data>
|
||||
<data name="LaunchSpMetadataUrl">
|
||||
<data name="LaunchSpMetadataUrl" xml:space="preserve">
|
||||
<value>View the SAML 2.0 Metadata (opens in a new window)</value>
|
||||
</data>
|
||||
<data name="CopySpAcsUrl">
|
||||
<data name="CopySpAcsUrl" xml:space="preserve">
|
||||
<value>Copy the Assertion Consumer Service (ACS) URL to your clipboard</value>
|
||||
</data>
|
||||
<data name="HttpRedirect">
|
||||
<data name="HttpRedirect" xml:space="preserve">
|
||||
<value>Redirect</value>
|
||||
<comment>A SAML binding type, Redirect</comment>
|
||||
</data>
|
||||
<data name="HttpPost">
|
||||
<data name="HttpPost" xml:space="preserve">
|
||||
<value>HTTP POST</value>
|
||||
<comment>A SAML binding type, HTTP POST</comment>
|
||||
</data>
|
||||
<data name="Artifact">
|
||||
<data name="Artifact" xml:space="preserve">
|
||||
<value>Artifact</value>
|
||||
<comment>A SAML binding type, Artifact</comment>
|
||||
</data>
|
||||
@ -667,4 +667,13 @@
|
||||
<data name="ResetPasswordAutoEnrollCheckbox" xml:space="preserve">
|
||||
<value>Require new users to be enrolled automatically</value>
|
||||
</data>
|
||||
</root>
|
||||
<data name="IdpArtifactResolutionServiceUrlInvalid" xml:space="preserve">
|
||||
<value>Artifact resolution service URL contains illegal characters.</value>
|
||||
</data>
|
||||
<data name="IdpSingleLogoutServiceUrlInvalid" xml:space="preserve">
|
||||
<value>Single log out service URL contains illegal characters.</value>
|
||||
</data>
|
||||
<data name="IdpSingleSignOnServiceUrlInvalid" xml:space="preserve">
|
||||
<value>Single sign on service URL contains illegal characters.</value>
|
||||
</data>
|
||||
</root>
|
||||
Loading…
Reference in New Issue
Block a user