Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding domain check to mitigate SSRF attacks. #7

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Adding domain check to mitigate SSRF attacks. #7

wants to merge 2 commits into from

Conversation

PasinduYeshan
Copy link
Contributor

@PasinduYeshan PasinduYeshan commented Aug 11, 2022
edited
Loading

  • When device information is requested from Entgra if the device is not enrolled it returns 404. That error checking is added to this PR.
  • Added domain check before sending HTTP requests.

@PasinduYeshan PasinduYeshan changed the title Fix 404 error handling Adding domain check. Aug 20, 2022
@PasinduYeshan PasinduYeshan changed the title Adding domain check. Adding domain check to mitigate SSRF attacks. Aug 20, 2022
ashendes
ashendes reviewed Aug 22, 2022
View reviewed changes
.../wso2/carbon/identity/conditional/auth/functions/entgra/GetDeviceInfoEntgraFunctionImpl.java
if (domain != null) {
domainArr = StringUtils.split(domain, DOMAIN_SEPARATOR);
if (domainArr.length != 0) {
parentDomain = domainArr.length == 1 ? domainArr[0] : domainArr[domainArr.length - 2];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Parent domain should be the joined string of the last two elements.

ashendes
ashendes reviewed Aug 22, 2022
View reviewed changes
.../wso2/carbon/identity/conditional/auth/functions/entgra/GetDeviceInfoEntgraFunctionImpl.java
* @param url
* @return validity
*/
private boolean isValidRequestDomain(URI url) {
Copy link
Contributor

@ashendes ashendes Aug 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't there any Framework util method for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got this from the http conditional auth function. It was implemented as a private method and I didn't find any util method for this.

@PasinduYeshan PasinduYeshan marked this pull request as draft November 20, 2023 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashendes ashendes ashendes left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PasinduYeshan @ashendes