Moderate severityNVD Advisory· Published Jun 29, 2020· Updated Aug 4, 2024

Open Redirect in OAuth2 Proxy

CVE-2020-4037

Description

In OAuth2 Proxy from version 5.1.1 and less than version 6.0.0, users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites. This has been fixed in version 6.0.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/oauth2-proxy/oauth2-proxyGo	>= 5.1.1, < 6.0.0	6.0.0

Affected products

Oauth2 Proxy Project/Oauth2 Proxyv5
Range: >= 5.1.1, < 6.0.0

Patches

d9af3ffc5ec0

Merge pull request #641 from oauth2-proxy/release-v6.0.0

https://github.com/oauth2-proxy/oauth2-proxyJoel SpeedJun 27, 2020via osv

commit

8 files changed · +60 −12

CHANGELOG.md+21 −1 modified

@@ -4,6 +4,25 @@
 
 ## Important Notes
 
+## Breaking Changes
+
+## Changes since v6.0.0
+
+# v6.0.0
+
+## Release Highlights
+
+- Migrated to an independent GitHub organisation
+- Added local test environment examples using docker-compose and kind
+- Error pages will now be rendered when upstream connections fail
+- Non-Existent options in config files will now return errors on startup
+- Sessions are now always encrypted, independent of configuration
+
+## Important Notes
+
+- (Security) Fix for [open redirect vulnerability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv).
+  - More invalid redirects that lead to open-redirects were reported
+  - An extensive test suite has been added to prevent future regressions
 - [#453](https://github.com/oauth2-proxy/oauth2-proxy/pull/453) Responses to endpoints with a proxy prefix will now return headers for preventing browser caching.
 
 ## Breaking Changes
@@ -60,6 +79,7 @@
 
 ## Changes since v5.1.1
 
+- [GHSA-5m6c-jp6f-2vcv](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv) New OpenRedirect cases have been found (@JoelSpeed)
 - [#639](https://github.com/oauth2-proxy/oauth2-proxy/pull/639) Change how gitlab-group is parsed on options (@linuxgemini)
 - [#615](https://github.com/oauth2-proxy/oauth2-proxy/pull/615) Kubernetes example based on Kind cluster and Nginx ingress (@EvgeniGordeev)
 - [#596](https://github.com/oauth2-proxy/oauth2-proxy/pull/596) Validate Bearer IDTokens in headers with correct provider/extra JWT Verifier (@NickMeves)
@@ -85,7 +105,7 @@
 - [#537](https://github.com/oauth2-proxy/oauth2-proxy/pull/537) Drop Fallback to Email if User not set (@JoelSpeed)
 - [#535](https://github.com/oauth2-proxy/oauth2-proxy/pull/535) Drop support for pre v3.1 cookies (@JoelSpeed)
 - [#533](https://github.com/oauth2-proxy/oauth2-proxy/pull/487) Set up code coverage within Travis for Code Climate (@JoelSpeed)
-- [#514](https://github.com/oauth2-proxy/oauth2-proxy/pull/514) Add basic string functions to templates
+- [#514](https://github.com/oauth2-proxy/oauth2-proxy/pull/514) Add basic string functions to templates (@n-i-x)
 - [#524](https://github.com/oauth2-proxy/oauth2-proxy/pull/524) Sign cookies with SHA256 (@NickMeves)
 - [#515](https://github.com/oauth2-proxy/oauth2-proxy/pull/515) Drop configure script in favour of native Makefile env and checks (@JoelSpeed)
 - [#519](https://github.com/oauth2-proxy/oauth2-proxy/pull/519) Support context in providers (@johejo)

contrib/local-environment/docker-compose-keycloak.yaml+1 −1 modified

@@ -15,7 +15,7 @@ services:
 
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v6.0.0
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

contrib/local-environment/docker-compose.yaml+1 −1 modified

@@ -13,7 +13,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v6.0.0
     command: --config /oauth2-proxy.cfg
     ports:
       - 4180:4180/tcp

docs/1_installation.md+1 −1 modified

@@ -9,7 +9,7 @@ nav_order: 1
 
 1.  Choose how to deploy:
 
-    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v5.1.1`)
+    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v6.0.0`)
 
     b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy` which will put the binary in `$GOROOT/bin`

go.mod+4 −2 modified

@@ -15,6 +15,7 @@ require (
 	github.com/justinas/alice v1.2.0
 	github.com/kr/pretty v0.2.0 // indirect
 	github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa
+	github.com/mdempsky/maligned v0.0.0-20180708014732-6e39bd26a8c8 // indirect
 	github.com/mitchellh/mapstructure v1.1.2
 	github.com/onsi/ginkgo v1.12.0
 	github.com/onsi/gomega v1.9.0
@@ -23,10 +24,11 @@ require (
 	github.com/spf13/viper v1.6.3
 	github.com/stretchr/testify v1.5.1
 	github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/net v0.0.0-20190923162816-aa69164e4478
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
+	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	google.golang.org/api v0.20.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/square/go-jose.v2 v2.4.1
+	mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 // indirect
 )

go.sum+22 −0 modified

@@ -105,6 +105,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=
 github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@@ -120,6 +121,8 @@ github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlW
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa h1:hI1uC2A3vJFjwvBn0G0a7QBRdBUp6Y048BtLAHRTKPo=
 github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa/go.mod h1:8vxFeeg++MqgCHwehSuwTlYCF0ALyDJbYJ1JsKi7v6s=
+github.com/mdempsky/maligned v0.0.0-20180708014732-6e39bd26a8c8 h1:zvpKif6gkrh82wAd2JIffdLyCL52N8r+ABwHxdIOvWM=
+github.com/mdempsky/maligned v0.0.0-20180708014732-6e39bd26a8c8/go.mod h1:oGVD62YTpMEWw0JqJ2Vl48dzHywJBMlapkfsmhtokOU=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -154,6 +157,7 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
@@ -184,6 +188,7 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997 h1:1+FQ4Ns+UZtUiQ4lP0sTCyKSQ0EXoiwAdHZB0Pd5t9Q=
 github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997/go.mod h1:DIGbh/f5XMAessMV/uaIik81gkDVjUeQ9ApdaU7wRKE=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/gopher-lua v0.0.0-20190206043414-8bfc7677f583/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ=
 github.com/yuin/gopher-lua v0.0.0-20191213034115-f46add6fdb5c/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ=
 github.com/yuin/gopher-lua v0.0.0-20191220021717-ab39c6098bdb h1:ZkM6LRnq40pR1Ox0hTHlnpkcOTuFIDQpZ1IN8rKKhX0=
@@ -197,12 +202,14 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -211,11 +218,14 @@ golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478 h1:l5EDrHhldLYb3ZRHDUhXF7Om7MvYXnkV9/iQNo1lX6g=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
@@ -227,13 +237,15 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -253,9 +265,16 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b h1:zSzQJAznWxAh9fZxiPy2FZo+ZZEYoYFYYDYdOrU7AaM=
+golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.20.0 h1:jz2KixHX7EcCPiQrySzPdnYT7DbINAypCqKZ1Z7GM40=
 google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
@@ -279,6 +298,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=
@@ -299,3 +319,5 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 h1:kAREL6MPwpsk1/PQPFD3Eg7WAQR5mPTWZJaBiG5LDbY=
+mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7/go.mod h1:HGC5lll35J70Y5v7vCGb9oLhHoScFwkHDJm/05RdSTc=

oauthproxy_test.go+7 −3 modified

@@ -437,10 +437,11 @@ func TestIsValidRedirect(t *testing.T) {
 }
 
 func TestOpenRedirects(t *testing.T) {
-	opts := NewOptions()
+	opts := options.NewOptions()
 	opts.ClientID = "skdlfj"
 	opts.ClientSecret = "fgkdsgj"
-	opts.Cookie.Secret = "ljgiogbj"
+	opts.Cookie.Secret = rawCookieSecret
+	opts.EmailDomains = []string{"*"}
 	// Should match domains that are exactly foo.bar and any subdomain of bar.foo
 	opts.WhitelistDomains = []string{
 		"foo.bar",
@@ -451,7 +452,10 @@ func TestOpenRedirects(t *testing.T) {
 		".sub.anyport.bar:*",
 		"www.whitelisteddomain.tld",
 	}
-	opts.Validate()
+	err := validation.Validate(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	proxy := NewOAuthProxy(opts, func(string) bool { return true })

README.md+3 −3 modified

@@ -23,7 +23,7 @@ Going forward, all images shall be available at `quay.io/oauth2-proxy/oauth2-pro
 
 1.  Choose how to deploy:
 
-    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v5.1.1`)
+    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v6.0.0`)
 
     b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy` which will put the binary in `$GOROOT/bin`
 
@@ -43,8 +43,8 @@ oauth2-proxy-x.y.z.linux-amd64: OK
 
 ## Security
 
-If you are running a version older than v5.1.0 we **strongly recommend you please update** to a current version.
-See [open redirect vulnverability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-j7px-6hwj-hpjg) for details.
+If you are running a version older than v6.0.0 we **strongly recommend you please update** to a current version.
+See [open redirect vulnverability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv) for details.
 
 ## Docs

ee5662e0f500

Merge pull request from GHSA-5m6c-jp6f-2vcv

https://github.com/oauth2-proxy/oauth2-proxyJoel SpeedJun 27, 2020via ghsa

commit

3 files changed · +641 −1

oauthproxy.go+1 −1 modified

@@ -63,7 +63,7 @@ var (
 
 	// Used to check final redirects are not susceptible to open redirects.
 	// Matches //, /\ and both of these with whitespace in between (eg / / or / \).
-	invalidRedirectRegex = regexp.MustCompile(`^/(\s|\v)?(/|\\)`)
+	invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
 )
 
 // OAuthProxy is the main authentication proxy

oauthproxy_test.go+81 −0 modified

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bufio"
 	"context"
 	"crypto"
 	"encoding/base64"
@@ -11,6 +12,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"regexp"
 	"strings"
 	"testing"
@@ -386,6 +388,41 @@ func TestIsValidRedirect(t *testing.T) {
 			Redirect:       "/\r\\evil.com",
 			ExpectedResult: false,
 		},
+		{
+			Desc:           "openRedirectTripleTab",
+			Redirect:       "/\t\t/\t/evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectTripleTab2",
+			Redirect:       "/\t\t\\\t/evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectQuadTab1",
+			Redirect:       "/\t\t/\t\t\\evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectQuadTab2",
+			Redirect:       "/\t\t\\\t\t/evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectPeriod1",
+			Redirect:       "/./\\evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectPeriod2",
+			Redirect:       "/./../../\\evil.com",
+			ExpectedResult: false,
+		},
+		{
+			Desc:           "openRedirectDoubleTab",
+			Redirect:       "/\t/\t\\evil.com",
+			ExpectedResult: false,
+		},
 	}
 
 	for _, tc := range testCases {
@@ -399,6 +436,50 @@ func TestIsValidRedirect(t *testing.T) {
 	}
 }
 
+func TestOpenRedirects(t *testing.T) {
+	opts := NewOptions()
+	opts.ClientID = "skdlfj"
+	opts.ClientSecret = "fgkdsgj"
+	opts.Cookie.Secret = "ljgiogbj"
+	// Should match domains that are exactly foo.bar and any subdomain of bar.foo
+	opts.WhitelistDomains = []string{
+		"foo.bar",
+		".bar.foo",
+		"port.bar:8080",
+		".sub.port.bar:8080",
+		"anyport.bar:*",
+		".sub.anyport.bar:*",
+		"www.whitelisteddomain.tld",
+	}
+	opts.Validate()
+
+	proxy := NewOAuthProxy(opts, func(string) bool { return true })
+
+	file, err := os.Open("./test/openredirects.txt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		rd := scanner.Text()
+		t.Run(rd, func(t *testing.T) {
+			rdUnescaped, err := url.QueryUnescape(rd)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if proxy.IsValidRedirect(rdUnescaped) {
+				t.Errorf("Expected %q to not be valid (unescaped: %q)", rd, rdUnescaped)
+			}
+		})
+	}
+
+	if err := scanner.Err(); err != nil {
+		t.Fatal(err)
+	}
+}
+
 type TestProvider struct {
 	*providers.ProviderData
 	EmailAddress   string

test/openredirects.txt+559 −0 added

@@ -0,0 +1,559 @@
+
+";alert(0);//
+%19Jav%09asc%09ript:https%20://www.whitelisteddomain.tld/%250Aconfirm%25281%2529
+%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+.localdomain.pw
+/%09/example.com
+/%09/example.com@google.com
+/%09/google.com
+/%09/javascript:alert(1)
+/%09/javascript:alert(1);
+/%09/localdomain.pw
+/%09/www.whitelisteddomain.tld@google.com
+/%09/www.whitelisteddomain.tld@localdomain.pw
+/%2f%2f%2fbing.com%2f%3fwww.omise.co
+/%2f%2fexample.com
+/%2f%2fgoogle.com
+/%2f%2flocaldomain.pw
+/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
+/%5cexample.com
+/%5cexample.com@google.com
+/%5cgoogle.com
+/%5cjavascript:alert(1)
+/%5cjavascript:alert(1);
+/%5clocaldomain.pw
+/%5cwww.whitelisteddomain.tld@google.com
+/%5cwww.whitelisteddomain.tld@localdomain.pw
+/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+//%09/example.com
+//%09/example.com@google.com
+//%09/google.com
+//%09/localdomain.pw
+//%09/www.whitelisteddomain.tld@google.com
+//%09/www.whitelisteddomain.tld@localdomain.pw
+//%2fxgoogle.com
+//%5cexample.com
+//%5cexample.com@google.com
+//%5cgoogle.com
+//%5cjavascript:alert(1)
+//%5cjavascript:alert(1);
+//%5clocaldomain.pw
+//%5cwww.whitelisteddomain.tld@google.com
+//%5cwww.whitelisteddomain.tld@localdomain.pw
+///%09/example.com
+///%09/example.com@google.com
+///%09/google.com
+///%09/localdomain.pw
+///%09/www.whitelisteddomain.tld@google.com
+///%09/www.whitelisteddomain.tld@localdomain.pw
+///%5cexample.com
+///%5cexample.com@google.com
+///%5cgoogle.com
+///%5clocaldomain.pw
+///%5cwww.whitelisteddomain.tld@google.com
+///%5cwww.whitelisteddomain.tld@localdomain.pw
+////%09/example.com
+////%09/example.com@google.com
+////%09/google.com
+////%09/localdomain.pw
+////%09/www.whitelisteddomain.tld@google.com
+////%09/www.whitelisteddomain.tld@localdomain.pw
+////%5cexample.com
+////%5cexample.com@google.com
+////%5cgoogle.com
+////%5clocaldomain.pw
+////%5cwww.whitelisteddomain.tld@google.com
+////%5cwww.whitelisteddomain.tld@localdomain.pw
+/////example.com
+/////example.com/
+/////google.com/
+/////localdomain.pw
+/////localdomain.pw/
+////\;@example.com
+////example.com/
+////example.com/%2e%2e
+////example.com/%2e%2e%2f
+////example.com/%2f%2e%2e
+////example.com/%2f..
+////example.com//
+////example.com@google.com/
+////example.com@google.com/%2e%2e
+////example.com@google.com/%2e%2e%2f
+////example.com@google.com/%2f%2e%2e
+////example.com@google.com/%2f..
+////example.com@google.com//
+////google.com/
+////google.com/%2e%2e
+////google.com/%2e%2e%2f
+////google.com/%2f%2e%2e
+////google.com/%2f..
+////google.com//
+////localdomain.pw/
+////localdomain.pw/%2e%2e
+////localdomain.pw/%2e%2e%2f
+////localdomain.pw/%2f%2e%2e
+////localdomain.pw/%2f..
+////localdomain.pw//
+////www.google.com/%2e%2e
+////www.google.com/%2e%2e%2f
+////www.google.com/%2f%2e%2e
+////www.whitelisteddomain.tld@google.com/
+////www.whitelisteddomain.tld@google.com/%2f..
+////www.whitelisteddomain.tld@google.com//
+////www.whitelisteddomain.tld@localdomain.pw/
+////www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+////www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+////www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+////www.whitelisteddomain.tld@localdomain.pw/%2f..
+////www.whitelisteddomain.tld@localdomain.pw//
+////www.whitelisteddomain.tld@www.google.com/%2e%2e
+////www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+///\;@example.com
+///\;@google.com
+///\;@localdomain.pw
+///example.com
+///example.com/
+///example.com/%2e%2e
+///example.com/%2e%2e%2f
+///example.com/%2f%2e%2e
+///example.com/%2f..
+///example.com//
+///example.com@google.com/
+///example.com@google.com/%2e%2e
+///example.com@google.com/%2e%2e%2f
+///example.com@google.com/%2f%2e%2e
+///example.com@google.com/%2f..
+///example.com@google.com//
+///google.com
+///google.com/
+///google.com/%2e%2e
+///google.com/%2e%2e%2f
+///google.com/%2f%2e%2e
+///google.com/%2f..
+///google.com//
+///localdomain.pw
+///localdomain.pw/
+///localdomain.pw/%2e%2e
+///localdomain.pw/%2e%2e%2f
+///localdomain.pw/%2f%2e%2e
+///localdomain.pw/%2f..
+///localdomain.pw//
+///www.google.com/%2e%2e
+///www.google.com/%2e%2e%2f
+///www.google.com/%2f%2e%2e
+///www.whitelisteddomain.tld@google.com/
+///www.whitelisteddomain.tld@google.com/%2f..
+///www.whitelisteddomain.tld@google.com//
+///www.whitelisteddomain.tld@localdomain.pw/
+///www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+///www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+///www.whitelisteddomain.tld@localdomain.pw/%2f..
+///www.whitelisteddomain.tld@localdomain.pw//
+///www.whitelisteddomain.tld@www.google.com/%2e%2e
+///www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+//3H6k7lIAiqjfNeN@example.com+@google.com/
+//3H6k7lIAiqjfNeN@example.com@google.com/
+//3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/
+//3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/
+//;@google.com
+//;@localdomain.pw
+//XY>.7d8T\205pZM@example.com+@google.com/
+//XY>.7d8T\205pZM@example.com@google.com/
+//XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/
+//XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw/
+//example.com
+//example.com+&@google.com#+@example.com/
+//example.com/
+//example.com/%2e%2e
+//example.com/%2e%2e%2f
+//example.com/%2f%2e%2e
+//example.com/%2f..
+//example.com//
+//example.com@google.com/
+//example.com@google.com/%2e%2e%2f
+//example.com@google.com/%2f%2e%2e
+//example.com@google.com/%2f..
+//example.com@google.com//
+//example.com@https:///google.com/%2e%2e
+//google%00.com
+//google%E3%80%82com
+//google.com
+//google.com/
+//google.com/%2e%2e%2f
+//google.com/%2f%2e%2e
+//google.com/%2f..
+//google.com//
+//google.com:80#@example.com/
+//google.com:80?@example.com/
+//google.com\@example.com
+//google.com\@www.whitelisteddomain.tld
+//google.com\texample.com/
+//https:///example.com/%2e%2e
+//https:///google.com/%2e%2e
+//https:///localdomain.pw/%2e%2e
+//https:///www.google.com/%2e%2e
+//https://example.com/%2e%2e%2f
+//https://example.com//
+//https://example.com@google.com/%2e%2e%2f
+//https://example.com@google.com//
+//https://google.com/%2e%2e%2f
+//https://google.com//
+//https://localdomain.pw/%2e%2e%2f
+//https://localdomain.pw//
+//https://www.google.com/%2e%2e%2f
+//https://www.whitelisteddomain.tld@google.com//
+//https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+//https://www.whitelisteddomain.tld@localdomain.pw//
+//https://www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+//javascript:alert(1)
+//javascript:alert(1);
+//localdomain%00.pw
+//localdomain%E3%80%82pw
+//localdomain.pw
+//localdomain.pw/
+//localdomain.pw/%2e%2e%2f
+//localdomain.pw/%2f%2e%2e
+//localdomain.pw/%2f..
+//localdomain.pw//
+//localdomain.pw:80#@www.whitelisteddomain.tld/
+//localdomain.pw:80?@www.whitelisteddomain.tld/
+//localdomain.pw\@www.whitelisteddomain.tld
+//localdomain.pw\twww.whitelisteddomain.tld/
+//www.google.com/%2e%2e%2f
+//www.google.com/%2f%2e%2e
+//www.whitelisteddomain.tld+&@localdomain.pw#+@www.whitelisteddomain.tld/
+//www.whitelisteddomain.tld@google.com/
+//www.whitelisteddomain.tld@google.com/%2f..
+//www.whitelisteddomain.tld@google.com//
+//www.whitelisteddomain.tld@https:///localdomain.pw/%2e%2e
+//www.whitelisteddomain.tld@https:///www.google.com/%2e%2e
+//www.whitelisteddomain.tld@localdomain.pw/
+//www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+//www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+//www.whitelisteddomain.tld@localdomain.pw/%2f..
+//www.whitelisteddomain.tld@localdomain.pw//
+//www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/<>//example.com
+/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
+/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
+/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
+/ReceiveAutoRedirect/false?desiredLocationUrl=http://xssposed.org
+/\/\/example.com/
+/\/example.com/
+/\/google.com/
+/\/localdomain.pw/
+/example.com/%2f%2e%2e
+/google.com/%2f%2e%2e
+/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+/http://example.com
+/http://google.com
+/http://localdomain.pw
+/https:/%5cexample.com/
+/https:/%5cgoogle.com/
+/https:/%5clocaldomain.pw/
+/https://%09/example.com
+/https://%5cexample.com
+/https://%5cexample.com@google.com
+/https://%5cgoogle.com
+/https://%5clocaldomain.pw
+/https://%5cwww.whitelisteddomain.tld@google.com
+/https://%5cwww.whitelisteddomain.tld@localdomain.pw
+/https:///example.com/%2e%2e
+/https:///example.com/%2f%2e%2e
+/https:///example.com@google.com/%2f%2e%2e
+/https:///google.com/%2f%2e%2e
+/https:///localdomain.pw/%2f%2e%2e
+/https:///www.google.com/%2f%2e%2e
+/https:///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+/https:///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/https://example.com
+/https://example.com/
+/https://example.com/%2e%2e
+/https://example.com/%2e%2e%2f
+/https://example.com/%2f%2e%2e
+/https://example.com/%2f..
+/https://example.com//
+/https://example.com@google.com/
+/https://example.com@google.com/%2e%2e
+/https://example.com@google.com/%2f%2e%2e
+/https://example.com@google.com/%2f..
+/https://google.com/
+/https://google.com/%2e%2e
+/https://google.com/%2f%2e%2e
+/https://google.com/%2f..
+/https://localdomain.pw/
+/https://localdomain.pw/%2e%2e
+/https://localdomain.pw/%2f%2e%2e
+/https://localdomain.pw/%2f..
+/https://www.google.com/%2e%2e
+/https://www.google.com/%2f%2e%2e
+/https://www.whitelisteddomain.tld@google.com/
+/https://www.whitelisteddomain.tld@google.com/%2f..
+/https://www.whitelisteddomain.tld@localdomain.pw/
+/https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+/https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+/https://www.whitelisteddomain.tld@localdomain.pw/%2f..
+/https://www.whitelisteddomain.tld@www.google.com/%2e%2e
+/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/localdomain.pw/%2f%2e%2e
+/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
+/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
+/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
+/x:1/:///%01javascript:alert(document.cookie)/
+<>//google.com
+<>//localdomain.pw
+<>javascript:alert(1);
+@google.com
+@localdomain.pw
+Javas%26%2399;ript:alert(1)
+\/\/google.com/
+\/\/localdomain.pw/
+\152\141\166\141\163\143\162\151\160\164\072alert(1)
+\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
+\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
+\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
+data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
+data:www.whitelisteddomain.tld;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
+http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+http://.localdomain.pw
+http://00330.00072.0000326.00000316
+http://00330.0x3a.54990
+http://00330.3856078
+http://0330.072.0326.0316
+http://0xd8.072.54990
+http://0xd8.0x3a.0xd6.0xce
+http://0xd8.3856078
+http://0xd83ad6ce
+http://3627734734
+http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http://3H6k7lIAiqjfNeN@00330.0x3a.54990
+http://3H6k7lIAiqjfNeN@00330.3856078
+http://3H6k7lIAiqjfNeN@0330.072.0326.0316
+http://3H6k7lIAiqjfNeN@0xd8.072.54990
+http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http://3H6k7lIAiqjfNeN@0xd8.3856078
+http://3H6k7lIAiqjfNeN@0xd83ad6ce
+http://3H6k7lIAiqjfNeN@3627734734
+http://3H6k7lIAiqjfNeN@472.314.470.462
+http://3H6k7lIAiqjfNeN@[::216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http://3H6k7lIAiqjfNeN@example.com+@google.com/
+http://3H6k7lIAiqjfNeN@example.com@google.com/
+http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/
+http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/
+http://472.314.470.462
+http://;@google.com
+http://;@localdomain.pw
+http://XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http://XY>.7d8T\205pZM@00330.0x3a.54990
+http://XY>.7d8T\205pZM@00330.3856078
+http://XY>.7d8T\205pZM@0330.072.0326.0316
+http://XY>.7d8T\205pZM@0xd8.072.54990
+http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http://XY>.7d8T\205pZM@0xd8.3856078
+http://XY>.7d8T\205pZM@0xd83ad6ce
+http://XY>.7d8T\205pZM@3627734734
+http://XY>.7d8T\205pZM@472.314.470.462
+http://XY>.7d8T\205pZM@[::216.58.214.206]
+http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http://XY>.7d8T\205pZM@example.com+@google.com/
+http://XY>.7d8T\205pZM@example.com@google.com/
+http://XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/
+http://XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw/
+http://[::216.58.214.206]
+http://[::ffff:216.58.214.206]
+http://example.com%2egoogle.com/
+http://example.com+&@google.com#+@example.com/
+http://example.com:80%40google.com/
+http://example.com@00330.00072.0000326.00000316
+http://example.com@00330.0x3a.54990
+http://example.com@00330.3856078
+http://example.com@0330.072.0326.0316
+http://example.com@0xd8.072.54990
+http://example.com@0xd8.0x3a.0xd6.0xce
+http://example.com@0xd8.3856078
+http://example.com@0xd83ad6ce
+http://example.com@3627734734
+http://example.com@472.314.470.462
+http://example.com@[::216.58.214.206]
+http://example.com@[::ffff:216.58.214.206]
+http://google.com%23.example.com/
+http://google.com%2f%2f.example.com/
+http://google.com%3F.example.com/
+http://google.com%5c%5c.example.com/
+http://google.com:80#@example.com/
+http://google.com:80#@www.whitelisteddomain.tld/
+http://google.com:80?@example.com/
+http://google.com:80?@www.whitelisteddomain.tld/
+http://google.com\texample.com/
+http://localdomain.pw%23.www.whitelisteddomain.tld/
+http://localdomain.pw%2f%2f.www.whitelisteddomain.tld/
+http://localdomain.pw%3F.www.whitelisteddomain.tld/
+http://localdomain.pw%5c%5c.www.whitelisteddomain.tld/
+http://localdomain.pw:80#@www.whitelisteddomain.tld/
+http://localdomain.pw:80?@www.whitelisteddomain.tld/
+http://localdomain.pw\twww.whitelisteddomain.tld/
+http://www.localdomain.pw\.www.whitelisteddomain.tld
+http://www.whitelisteddomain.tld%2elocaldomain.pw/
+http://www.whitelisteddomain.tld+&@localdomain.pw#+@www.whitelisteddomain.tld/
+http://www.whitelisteddomain.tld:80%40localdomain.pw/
+http://www.whitelisteddomain.tld@00330.00072.0000326.00000316
+http://www.whitelisteddomain.tld@00330.0x3a.54990
+http://www.whitelisteddomain.tld@00330.3856078
+http://www.whitelisteddomain.tld@0330.072.0326.0316
+http://www.whitelisteddomain.tld@0xd8.072.54990
+http://www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
+http://www.whitelisteddomain.tld@0xd8.3856078
+http://www.whitelisteddomain.tld@0xd83ad6ce
+http://www.whitelisteddomain.tld@3627734734
+http://www.whitelisteddomain.tld@472.314.470.462
+http://www.whitelisteddomain.tld@[::216.58.214.206]
+http://www.whitelisteddomain.tld@[::ffff:216.58.214.206]
+http:00330.00072.0000326.00000316
+http:00330.0x3a.54990
+http:00330.3856078
+http:0330.072.0326.0316
+http:0xd8.072.54990
+http:0xd8.0x3a.0xd6.0xce
+http:0xd8.3856078
+http:0xd83ad6ce
+http:3627734734
+http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http:3H6k7lIAiqjfNeN@00330.0x3a.54990
+http:3H6k7lIAiqjfNeN@00330.3856078
+http:3H6k7lIAiqjfNeN@0330.072.0326.0316
+http:3H6k7lIAiqjfNeN@0xd8.072.54990
+http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http:3H6k7lIAiqjfNeN@0xd8.3856078
+http:3H6k7lIAiqjfNeN@0xd83ad6ce
+http:3H6k7lIAiqjfNeN@3627734734
+http:3H6k7lIAiqjfNeN@472.314.470.462
+http:3H6k7lIAiqjfNeN@[::216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http:472.314.470.462
+http:XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http:XY>.7d8T\205pZM@00330.0x3a.54990
+http:XY>.7d8T\205pZM@00330.3856078
+http:XY>.7d8T\205pZM@0330.072.0326.0316
+http:XY>.7d8T\205pZM@0xd8.072.54990
+http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http:XY>.7d8T\205pZM@0xd8.3856078
+http:XY>.7d8T\205pZM@0xd83ad6ce
+http:XY>.7d8T\205pZM@3627734734
+http:XY>.7d8T\205pZM@472.314.470.462
+http:XY>.7d8T\205pZM@[::216.58.214.206]
+http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http:[::216.58.214.206]
+http:[::ffff:216.58.214.206]
+http:example.com@00330.00072.0000326.00000316
+http:example.com@00330.0x3a.54990
+http:example.com@00330.3856078
+http:example.com@0330.072.0326.0316
+http:example.com@0xd8.072.54990
+http:example.com@0xd8.0x3a.0xd6.0xce
+http:example.com@0xd8.3856078
+http:example.com@0xd83ad6ce
+http:example.com@3627734734
+http:example.com@472.314.470.462
+http:example.com@[::216.58.214.206]
+http:example.com@[::ffff:216.58.214.206]
+http:www.whitelisteddomain.tld@00330.00072.0000326.00000316
+http:www.whitelisteddomain.tld@00330.0x3a.54990
+http:www.whitelisteddomain.tld@00330.3856078
+http:www.whitelisteddomain.tld@0330.072.0326.0316
+http:www.whitelisteddomain.tld@0xd8.072.54990
+http:www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
+http:www.whitelisteddomain.tld@0xd8.3856078
+http:www.whitelisteddomain.tld@0xd83ad6ce
+http:www.whitelisteddomain.tld@3627734734
+http:www.whitelisteddomain.tld@472.314.470.462
+http:www.whitelisteddomain.tld@[::216.58.214.206]
+http:www.whitelisteddomain.tld@[::ffff:216.58.214.206]
+https://%09/example.com@google.com
+https://%09/google.com
+https://%09/localdomain.pw
+https://%09/www.whitelisteddomain.tld@google.com
+https://%09/www.whitelisteddomain.tld@localdomain.pw
+https://%5cexample.com@google.com
+https://%5cgoogle.com
+https://%5clocaldomain.pw
+https://%5cwww.whitelisteddomain.tld@google.com
+https://%5cwww.whitelisteddomain.tld@localdomain.pw
+https:///example.com@google.com/%2e%2e
+https:///example.com@google.com/%2f%2e%2e
+https:///google.com/%2e%2e
+https:///google.com/%2f%2e%2e
+https:///localdomain.pw/%2e%2e
+https:///localdomain.pw/%2f%2e%2e
+https:///www.google.com/%2e%2e
+https:///www.google.com/%2f%2e%2e
+https:///www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+https:///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+https:///www.whitelisteddomain.tld@www.google.com/%2e%2e
+https:///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+https://:@google.com\@example.com
+https://:@google.com\@www.whitelisteddomain.tld
+https://:@localdomain.pw\@www.whitelisteddomain.tld
+https://example.com/https://google.com/
+https://example.com@google.com
+https://example.com@google.com/
+https://example.com@google.com/%2e%2e%2f
+https://example.com@google.com/%2f%2e%2e
+https://example.com@google.com/%2f..
+https://example.com@google.com//
+https://google.com
+https://google.com/
+https://google.com/%2e%2e%2f
+https://google.com/%2f%2e%2e
+https://google.com/%2f..
+https://google.com//
+https://localdomain.pw
+https://localdomain.pw/
+https://localdomain.pw/%2e%2e%2f
+https://localdomain.pw/%2f%2e%2e
+https://localdomain.pw/%2f..
+https://localdomain.pw//
+https://www.google.com/%2e%2e%2f
+https://www.google.com/%2f%2e%2e
+https://www.whitelisteddomain.tld@google.com
+https://www.whitelisteddomain.tld@google.com/
+https://www.whitelisteddomain.tld@google.com/%2f..
+https://www.whitelisteddomain.tld@google.com//
+https://www.whitelisteddomain.tld@localdomain.pw
+https://www.whitelisteddomain.tld@localdomain.pw/
+https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+https://www.whitelisteddomain.tld@localdomain.pw/%2f..
+https://www.whitelisteddomain.tld@localdomain.pw//
+https://www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+https:google.com
+https:localdomain.pw
+jaVAscript://www.whitelisteddomain.tld//%0d%0aalert(1);//
+ja\nva\tscript\r:alert(1)
+java%09script:alert(1)
+java%0ascript:alert(1)
+java%0d%0ascript%0d%0a:alert(0)
+java%0dscript:alert(1)
+javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
+javascript://%0aalert(1)
+javascript://example.com?%a0alert%281%29
+javascript://https://example.com/?z=%0Aalert(1)
+javascript://https://www.whitelisteddomain.tld/?z=%0Aalert(1)
+javascript://www.whitelisteddomain.tld?%a0alert%281%29
+javascript:alert(1)
+javascript:alert(1);
+〱google.com
+〱localdomain.pw
+〵google.com
+〵localdomain.pw
+ゝgoogle.com
+ゝlocaldomain.pw
+ーgoogle.com
+ーlocaldomain.pw
+ｰgoogle.com
+ｰlocaldomain.pw

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5m6c-jp6f-2vcvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-4037ghsaADVISORY
github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2ghsax_refsource_MISCWEB
github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0ghsaWEB
github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcvghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000