added state check against stolen session

feyruzb · Sep 18, 2024 · 304b602 · 304b602
1 parent 3c83d1e
commit 304b602
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/web/server/codechecker_server/api/authentication.py b/web/server/codechecker_server/api/authentication.py
@@ -106,6 +106,7 @@ def createLink(self, provider):
                 codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED,
                 "OAuth authentication is not enabled.")
 
+        stored_state = generate_token()
         client_id = oauth_config["oauth_client_id"]
         client_secret = oauth_config["oauth_client_secret"]
         scope = oauth_config["oauth_scope"]
@@ -122,7 +123,7 @@ def createLink(self, provider):
         # Create authorization URL
         nonce = generate_token()
         url = session.create_authorization_url(
-            authorization_uri, nonce=nonce)[0]
+            authorization_uri, nonce=nonce, state = stored_state)[0]
         return url
 
     @timeit
@@ -231,7 +232,9 @@ def performLogin(self, auth_method, auth_string):
             # which doesn't correctly fetch the code from url.
 
             code = url.split("code=")[1].split("&")[0]
-            url = url.split("?")[0] + "?code=" + code
+            url = url.split("?")[0] + "?code=" + code + "&state=" + \
+                url.split("state=")[1].split("&")[0]
+
             token = session.fetch_token(
                 url=token_url,
                 authorization_response=url)

diff --git a/web/server/vue-cli/src/views/Login.vue b/web/server/vue-cli/src/views/Login.vue
@@ -198,8 +198,15 @@ export default {
     detectCallback() {
       const url = this.$route.query;
       const provider = localStorage.getItem("oauth_provider");
+      const state = localStorage.getItem("oauth_state");
 
       if (url.code != null && url.state != null) {
+        if (url.state != state) {
+          this.errorMsg = "Invalid state!";
+          this.error = true;
+          return;
+        }
+
         this.$store
           .dispatch(LOGIN, {
             type: "oauth",
@@ -246,6 +253,9 @@ export default {
         if (url) {
           this.success = false;
           this.error = false;
+          localStorage.setItem("oauth_state",
+            url.split("state=")[1].split("&")[0]);
+
           window.location.href = url;
           this.link = url;
         } else {