fix: harden browser login callbacks#708
Draft
desimone wants to merge 1 commit into
Draft
Conversation
Refs: ENG-4238 Accept a credential only on the random callback created for this login and reject redirect overrides. Bound incomplete headers and quote CI path exports.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
This hardens the loopback callback used by interactive browser login. Each login now creates a random, single-use callback path and accepts only the issued host, path,
GETmethod, and one non-emptypomerium_jwtquery value.The callback server also sets a five-second read-header timeout. The client overrides any caller-provided redirect URI with its own callback address and clones caller-owned parameters before making that change. The included workflow fix quotes writes to
GITHUB_PATHso paths containing whitespace work.Why
Previously, the callback accepted the first credential-bearing request on a predictable loopback endpoint, including broader methods and request shapes. Another local process or a cross-origin form could inject a credential into an interactive login. A caller could also direct the resulting credential to a different redirect URI.
Review notes
Invalid requests do not consume the valid callback and never reflect the credential.
GetBrowserJWTstays explicitly interactive;GetJWTpreserves its service-account precedence.Testing
The focused race suite covers hostile redirect URIs, concurrent callbacks, invalid request shapes, and caller-map non-mutation. A known unrelated race in
cmd/pomerium-cliexists on cleanmain; it is outside this diff.Related issue
AI assistance
Codex assisted with implementation and test authoring. Claude performed adversarial review of callback handling. Bobby defined the security requirements.