Skip to content

Fix open redirect in legacy SSO flow (idp) #18909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 17, 2025
Merged

Fix open redirect in legacy SSO flow (idp) #18909

merged 10 commits into from
Sep 17, 2025

Conversation

@MadLittleMods
Copy link
Contributor

@MadLittleMods MadLittleMods commented Sep 11, 2025
edited
Loading

Fix open redirect in legacy SSO flow:

  • Validate the idp parameter to only accept the ones that are known in the config file
  • URL-encode the idp parameter for safety's sake (this is the main fix)

Fix https://github.com/matrix-org/internal-config/issues/1651 (internal link)

Regressed in #17972

Dev notes

SYNAPSE_TEST_LOG_LEVEL=INFO poetry run trial tests.rest.client.test_login

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct (run the linters)

@MadLittleMods MadLittleMods changed the title IDP validation Fix open redirect in legacy SSO flow (idp) Sep 11, 2025
MadLittleMods
MadLittleMods commented Sep 11, 2025
View reviewed changes
synapse/rest/synapse/client/pick_idp.py Outdated
Comment on lines 66 to 74
# Validate the `idp` query parameter
providers = self._sso_handler.get_identity_providers()
auth_provider = providers.get(idp)
if not auth_provider:
logger.info("Unknown idp %r", idp)
self._sso_handler.render_error(
request, "unknown_idp", "Unknown identity provider ID"
)
return
Copy link
Contributor Author

@MadLittleMods MadLittleMods Sep 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restoring this since it was removed in #17972

With hindsight, I'm not sure why it was removed although perhaps I just thought it was a bit superfluous as we would end up at a 404 anyway.

We could technically still do away with this and rely on the URL encoded value fix above to fix the open redirect problem.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be worth calling out that this code prevents Synapse from reaching out to arbitrary URLs (along with the URL-encoding later). Mostly to prevent it being arbitrarily removed by a future code change (even though the tests help with that as well).

Copy link
Contributor Author

@MadLittleMods MadLittleMods Sep 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was a bit tricky to word but I've added something 👍

@MadLittleMods MadLittleMods marked this pull request as ready for review September 11, 2025 16:56
@MadLittleMods MadLittleMods requested a review from a team as a code owner September 11, 2025 16:56
anoadragon453
anoadragon453 approved these changes Sep 16, 2025
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking this on!

synapse/rest/synapse/client/pick_idp.py Outdated
Comment on lines 66 to 74
# Validate the `idp` query parameter
providers = self._sso_handler.get_identity_providers()
auth_provider = providers.get(idp)
if not auth_provider:
logger.info("Unknown idp %r", idp)
self._sso_handler.render_error(
request, "unknown_idp", "Unknown identity provider ID"
)
return
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be worth calling out that this code prevents Synapse from reaching out to arbitrary URLs (along with the URL-encoding later). Mostly to prevent it being arbitrarily removed by a future code change (even though the tests help with that as well).

@MadLittleMods MadLittleMods merged commit 6f9fab1 into develop Sep 17, 2025
76 of 78 checks passed
@MadLittleMods MadLittleMods deleted the madlittlemods/1651-idp-validation branch September 17, 2025 18:54
@MadLittleMods
Copy link
Contributor Author

Thanks for the review @anoadragon453 🦐

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anoadragon453 anoadragon453 anoadragon453 approved these changes

Assignees

No one assigned

Labels

A-SSO Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MadLittleMods @anoadragon453