Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 filter: improve the csrf token with "Signed Double-Submit Cookie" #37646

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

OAuth2 filter: improve the csrf token with "Signed Double-Submit Cookie" #37646

wants to merge 10 commits into from
+228 −114

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Dec 13, 2024
edited
Loading

Commit Message: The current CSRF token in the OAuth2 filter state is a random string. This PR improved it by signing the random string with the HMAC secret, adding protection agains CSRF token forgery.

The new CSRF token is in the format of <nonce>.<hmac(nonce)>, which is the Signed Double-Submit Cookie pattern recommended by OWASP.

Additional Description:
Risk Level: low
Testing: Unit test and integration test
Docs Changes: No
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #37560]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

cc @denniskniep @missBerg @arkodg

@zhaohuabing
use hmac to verify the csrf token
458fc1e 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix test
89f5119 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix format
2e0641a 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing marked this pull request as draft December 13, 2024 08:07
@zhaohuabing zhaohuabing changed the title Oauth2 csrf token single double submit cookie OAuth2 filter: improve the csrf token with "Signed Double-Submit Cookie" Dec 13, 2024
@zhaohuabing
update change log
38f1742 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
add unit test
d984e69 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix test
3c03b55 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing force-pushed the oauth2-csrf-token-single-double-submit-cookie branch from 8336232 to 3c03b55 Compare December 13, 2024 12:44
@zhaohuabing zhaohuabing mentioned this pull request Dec 13, 2024
Open
@zhaohuabing
patch example
2d1cc9a 
Signed-off-by: Huabing Zhao <[email protected]>
@repokitteh-read-only repokitteh-read-only bot added the deps Approval required for changes to Envoy's external dependencies label Dec 13, 2024
@repokitteh-read-only RepoKitteh - Read Only
Copy link

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @mattklein123

🐱

Caused by: #37646 was synchronize by zhaohuabing.

see: more, trace.

@zhaohuabing zhaohuabing marked this pull request as ready for review December 16, 2024 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mattklein123 mattklein123

Labels
deps Approval required for changes to Envoy's external dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve OAuth csrf token with "Signed Double-Submit Cookie"
2 participants
@zhaohuabing @mattklein123