Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16537

AM not validating relative redirects on POST



      Bug description

      Below I have used http://am.localtest.me:8080/openam for illustration but replace this with your local deployment of AM as required.
      When posting to `http://am.localtest.me:8080/openam/json/users?_action=validateGoto`, AM is unable to determine whether the redirect URL is relative to the request URL so it rejects any URL that is not in the allowlist already.

      How to reproduce the issue

      1. Login to AM and get the value of your iPlanetDirectoryPro cookie.
      2. Send the following cURL command to AM:
        curl --request POST \
          --url 'http://am.localtest.me:8080/openam/json/users?_action=validateGoto' \
          --header 'accept-api-version: protocol=2.1,resource=3.0' \
          --header 'content-type: application/json' \
          --cookie 'amlbcookie=01; iPlanetDirectoryPro=<your-cookie>' \
          --data '{"goto":"http://am.localtest.me:8080/openam/ui-admin/#configure/authentication"}'
      Expected behaviour
      HTTP 200
        "successURL": "/ui-admin/#configure/authentication"
      Current behaviour
      HTTP 200
        "successURL": "/openam/console"

      Work around

      Create a Validation Service instance and add your AM domain to the Valid goto URL Resources list

      Code analysis

          Promise<ActionResponse, ResourceException> validateGoto(final Context context,
                  final ActionRequest request) {
              final JsonValue jVal = request.getContent();
              JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
              try {
                  SSOTokenManager mgr = SSOTokenManager.getInstance();
                  SSOToken ssoToken = mgr.createSSOToken(getCookieFromServerContext(context));
                  String gotoURL = urlValidator.getRedirectUrl(ssoToken.getProperty(ISAuthConstants.ORGANIZATION),
                          urlValidator.getValueFromJson(jVal, RedirectUrlValidator.GOTO),
                          ssoToken.getProperty("successURL"), null);

      The last value passed to getRedirectUrl is the request so that this can be used to compare the goto URL to check if it is relative. In this case a null is passed because we don't at this point have access to the request.




            • Assignee:
              isaac.taylor Isaac Taylor
              isaac.taylor Isaac Taylor
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: