From 9007d66559f566de6dbb98c397d7e2ff00d934f9 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Mon, 11 Dec 2017 09:33:52 +0000 Subject: [PATCH] Test explicit subdomain whitelisting --- oauthproxy_test.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/oauthproxy_test.go b/oauthproxy_test.go index b53c79b..973fa4a 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -98,7 +98,8 @@ func TestIsValidRedirect(t *testing.T) { opts.ClientID = "bazquux" opts.ClientSecret = "foobar" opts.CookieSecret = "xyzzyplugh" - opts.WhitelistDomains = []string{"foo.bar"} + // Should match domains that are exactly foo.bar and any subdomain of bar.foo + opts.WhitelistDomains = []string{"foo.bar", ".bar.foo"} opts.Validate() proxy := NewOAuthProxy(opts, func(string) bool { return true }) @@ -112,12 +113,24 @@ func TestIsValidRedirect(t *testing.T) { doubleSlash := proxy.IsValidRedirect("//redirect") assert.Equal(t, false, doubleSlash) - validHTTP := proxy.IsValidRedirect("http://baz.foo.bar/redirect") + validHTTP := proxy.IsValidRedirect("http://foo.bar/redirect") assert.Equal(t, true, validHTTP) - validHTTPS := proxy.IsValidRedirect("https://baz.foo.bar/redirect") + validHTTPS := proxy.IsValidRedirect("https://foo.bar/redirect") assert.Equal(t, true, validHTTPS) + invalidHTTPSubdomain := proxy.IsValidRedirect("http://baz.foo.bar/redirect") + assert.Equal(t, false, invalidHTTPSubdomain) + + invalidHTTPSSubdomain := proxy.IsValidRedirect("https://baz.foo.bar/redirect") + assert.Equal(t, false, invalidHTTPSSubdomain) + + validHTTPSubdomain := proxy.IsValidRedirect("http://baz.bar.foo/redirect") + assert.Equal(t, true, validHTTPSubdomain) + + validHTTPSSubdomain := proxy.IsValidRedirect("https://baz.bar.foo/redirect") + assert.Equal(t, true, validHTTPSSubdomain) + invalidHTTP1 := proxy.IsValidRedirect("http://foo.bar.evil.corp/redirect") assert.Equal(t, false, invalidHTTP1)