Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16537

AM not validating relative redirects on POST

    XMLWordPrintable

    Details

      Description

      Bug description

      Below I have used http://am.localtest.me:8080/openam for illustration but replace this with your local deployment of AM as required.
      When posting to `http://am.localtest.me:8080/openam/json/users?_action=validateGoto`, AM is unable to determine whether the redirect URL is relative to the request URL so it rejects any URL that is not in the allowlist already.

      How to reproduce the issue

      1. Login to AM and get the value of your iPlanetDirectoryPro cookie.
      2. Send the following cURL command to AM:
        curl --request POST \
          --url 'http://am.localtest.me:8080/openam/json/users?_action=validateGoto' \
          --header 'accept-api-version: protocol=2.1,resource=3.0' \
          --header 'content-type: application/json' \
          --cookie 'amlbcookie=01; iPlanetDirectoryPro=<your-cookie>' \
          --data '{"goto":"http://am.localtest.me:8080/openam/ui-admin/#configure/authentication"}'
        
      Expected behaviour
      HTTP 200
      {
        "successURL": "/ui-admin/#configure/authentication"
      }
      
      Current behaviour
      HTTP 200
      {
        "successURL": "/openam/console"
      }
      

      Work around

      Create a Validation Service instance and add your AM domain to the Valid goto URL Resources list

      Code analysis

      org.forgerock.openam.core.rest.IdentityResourceV2
          Promise<ActionResponse, ResourceException> validateGoto(final Context context,
                  final ActionRequest request) {
      
              final JsonValue jVal = request.getContent();
              JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
      
              try {
                  SSOTokenManager mgr = SSOTokenManager.getInstance();
                  SSOToken ssoToken = mgr.createSSOToken(getCookieFromServerContext(context));
      
                  String gotoURL = urlValidator.getRedirectUrl(ssoToken.getProperty(ISAuthConstants.ORGANIZATION),
                          urlValidator.getValueFromJson(jVal, RedirectUrlValidator.GOTO),
                          ssoToken.getProperty("successURL"), null);
      
      

      The last value passed to getRedirectUrl is the request so that this can be used to compare the goto URL to check if it is relative. In this case a null is passed because we don't at this point have access to the request.

        Attachments

          Activity

            People

            isaac.taylor Isaac Taylor
            isaac.taylor Isaac Taylor
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: