Complete rebuild of the plugin

* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
2026-06-05 22:44:17 +00:00 · 2025-09-18 11:01:30 +01:00
parent 784b161732
commit 1b49e133da
181 changed files with 78067 additions and 8289 deletions
@@ -4,45 +4,47 @@ import (
 	"fmt"
 	"net/url"
 	"regexp"
+	"strconv"
 	"strings"
 	"unicode"
 	"unicode/utf8"
 )

 // InputValidator provides comprehensive input validation and sanitization
+// to protect against common security vulnerabilities including SQL injection,
+// XSS, path traversal, and other injection attacks. It validates and sanitizes
+// various input types used in OIDC authentication flows.
 type InputValidator struct {
-	// Configuration
-	maxTokenLength    int
-	maxURLLength      int
-	maxHeaderLength   int
-	maxClaimLength    int
-	maxEmailLength    int
-	maxUsernameLength int
-
-	// Compiled regex patterns
-	emailRegex    *regexp.Regexp
-	urlRegex      *regexp.Regexp
-	tokenRegex    *regexp.Regexp
-	usernameRegex *regexp.Regexp
-
-	// Security patterns to detect
+	usernameRegex         *regexp.Regexp
+	tokenRegex            *regexp.Regexp
+	logger                *Logger
+	urlRegex              *regexp.Regexp
+	emailRegex            *regexp.Regexp
 	sqlInjectionPatterns  []string
-	xssPatterns           []string
 	pathTraversalPatterns []string
-
-	logger *Logger
+	xssPatterns           []string
+	maxUsernameLength     int
+	maxURLLength          int
+	maxTokenLength        int
+	maxEmailLength        int
+	maxClaimLength        int
+	maxHeaderLength       int
 }

-// ValidationResult represents the result of input validation
+// ValidationResult encapsulates the outcome of input validation.
+// It includes the sanitized value, detected security risks, validation
+// errors and warnings, and an overall validity status.
 type ValidationResult struct {
-	IsValid        bool     `json:"is_valid"`
-	Errors         []string `json:"errors,omitempty"`
-	Warnings       []string `json:"warnings,omitempty"`
 	SanitizedValue string   `json:"sanitized_value,omitempty"`
 	SecurityRisk   string   `json:"security_risk,omitempty"`
+	Errors         []string `json:"errors,omitempty"`
+	Warnings       []string `json:"warnings,omitempty"`
+	IsValid        bool     `json:"is_valid"`
 }

-// InputValidationConfig holds configuration for input validation
+// InputValidationConfig defines the configuration parameters for input validation.
+// It specifies maximum lengths for various input types and controls whether
+// strict validation mode is enabled.
 type InputValidationConfig struct {
 	MaxTokenLength    int  `json:"max_token_length"`
 	MaxURLLength      int  `json:"max_url_length"`
@@ -53,7 +55,9 @@ type InputValidationConfig struct {
 	StrictMode        bool `json:"strict_mode"`
 }

-// DefaultInputValidationConfig returns default validation configuration
+// DefaultInputValidationConfig returns a secure default configuration
+// for input validation with reasonable limits based on industry standards
+// and security best practices.
 func DefaultInputValidationConfig() InputValidationConfig {
 	return InputValidationConfig{
 		MaxTokenLength:    50000, // 50KB for tokens
@@ -66,7 +70,16 @@ func DefaultInputValidationConfig() InputValidationConfig {
 	}
 }

-// NewInputValidator creates a new input validator with the given configuration
+// NewInputValidator creates a new input validator with the specified configuration.
+// It compiles all necessary regex patterns and initializes security pattern lists.
+//
+// Parameters:
+//   - config: Validation configuration with size limits and mode settings.
+//   - logger: Logger instance for recording validation events.
+//
+// Returns:
+//   - A configured InputValidator instance.
+//   - An error if regex compilation fails.
 func NewInputValidator(config InputValidationConfig, logger *Logger) (*InputValidator, error) {
 	// Compile regex patterns
 	emailRegex, err := regexp.Compile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
@@ -307,6 +320,42 @@ func (iv *InputValidator) ValidateURL(urlStr string) ValidationResult {
 		return result
 	}

+	// Check for localhost or private IPs for security
+	// Allow localhost for HTTPS (development/testing) but warn about it
+	hostname := strings.ToLower(parsedURL.Hostname())
+	if hostname == "localhost" || hostname == "127.0.0.1" || hostname == "::1" {
+		if parsedURL.Scheme == "https" {
+			// Allow HTTPS localhost for development but warn
+			result.Warnings = append(result.Warnings, "localhost URLs should only be used for development/testing")
+		} else {
+			// Reject non-HTTPS localhost for security
+			result.IsValid = false
+			result.Errors = append(result.Errors, "non-HTTPS localhost URLs are not allowed for security")
+			return result
+		}
+	}
+
+	// Check for private IP ranges (RFC 1918)
+	if strings.HasPrefix(hostname, "10.") ||
+		strings.HasPrefix(hostname, "192.168.") ||
+		strings.HasPrefix(hostname, "172.") {
+		// For 172.x check if it's in the 172.16.0.0/12 range
+		if strings.HasPrefix(hostname, "172.") {
+			parts := strings.Split(hostname, ".")
+			if len(parts) >= 2 {
+				if second, err := strconv.Atoi(parts[1]); err == nil && second >= 16 && second <= 31 {
+					result.IsValid = false
+					result.Errors = append(result.Errors, "private IP URLs are not allowed for security")
+					return result
+				}
+			}
+		} else {
+			result.IsValid = false
+			result.Errors = append(result.Errors, "private IP URLs are not allowed for security")
+			return result
+		}
+	}
+
 	// Check for suspicious patterns
 	if risk := iv.detectSecurityRisk(sanitized); risk != "" {
 		result.SecurityRisk = risk
@@ -395,7 +444,9 @@ func (iv *InputValidator) ValidateClaim(claimName, claimValue string) Validation
 	}

 	if iv.containsControlCharacters(claimValue) {
-		result.Warnings = append(result.Warnings, "claim value contains control characters")
+		result.IsValid = false
+		result.Errors = append(result.Errors, "claim value contains control characters")
+		return result
 	}

 	// Validate UTF-8 encoding
@@ -408,7 +459,25 @@ func (iv *InputValidator) ValidateClaim(claimName, claimValue string) Validation
 	// Check for suspicious patterns
 	if risk := iv.detectSecurityRisk(claimValue); risk != "" {
 		result.SecurityRisk = risk
-		result.Warnings = append(result.Warnings, fmt.Sprintf("potential security risk detected: %s", risk))
+		result.IsValid = false
+		result.Errors = append(result.Errors, fmt.Sprintf("potential security risk detected: %s", risk))
+		return result
+	}
+
+	// Check for excessive unicode (emojis and special characters)
+	unicodeCount := 0
+	runeCount := 0
+	for _, r := range claimValue {
+		runeCount++
+		if r > 127 { // Non-ASCII character
+			unicodeCount++
+		}
+	}
+	// If more than 50% of the characters are unicode, consider it suspicious
+	if runeCount > 0 && unicodeCount > runeCount/2 {
+		result.IsValid = false
+		result.Errors = append(result.Errors, "claim value contains excessive unicode characters")
+		return result
 	}

 	// Specific validations based on claim name
@@ -493,6 +562,13 @@ func (iv *InputValidator) ValidateHeader(headerName, headerValue string) Validat
 		return result
 	}

+	// Check for control characters in header value
+	if iv.containsControlCharacters(headerValue) {
+		result.IsValid = false
+		result.Errors = append(result.Errors, "header value contains control characters")
+		return result
+	}
+
 	// Validate UTF-8 encoding
 	if !utf8.ValidString(headerValue) {
 		result.IsValid = false
@@ -503,7 +579,9 @@ func (iv *InputValidator) ValidateHeader(headerName, headerValue string) Validat
 	// Check for suspicious patterns
 	if risk := iv.detectSecurityRisk(headerValue); risk != "" {
 		result.SecurityRisk = risk
-		result.Warnings = append(result.Warnings, fmt.Sprintf("potential security risk detected: %s", risk))
+		result.IsValid = false
+		result.Errors = append(result.Errors, fmt.Sprintf("potential security risk detected: %s", risk))
+		return result
 	}

 	result.SanitizedValue = strings.TrimSpace(headerValue)