Commit 9d31b4e
Issue #25 — timing attack in static token comparison:
Both token comparison sites in proxy.go used Go's == operator which is not
constant-time. An attacker measuring response latency could determine the
correct token one byte at a time.
Fix: replace == with crypto/subtle.ConstantTimeCompare at both call sites.
Issue #26 — port parameter not validated in OIDC authorize endpoint:
The 'p' query parameter was interpolated directly into the redirect URL
(http://127.0.0.1:%s/callback) without any validation, allowing path
injection via values like '80/evil-path#'.
Fix: parse port with strconv.Atoi and reject values outside [1, 65535].
Use %d (not %s) in the format string to prevent any further injection.
Co-authored-by: Mangirdas Judeikis <mjudeikis@gmail.com>
Co-authored-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
1 parent f8ede10 commit 9d31b4e
2 files changed
Lines changed: 15 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
| 29 | + | |
29 | 30 | | |
30 | 31 | | |
31 | 32 | | |
| |||
104 | 105 | | |
105 | 106 | | |
106 | 107 | | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
107 | 116 | | |
108 | | - | |
| 117 | + | |
109 | 118 | | |
110 | 119 | | |
111 | 120 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
| 23 | + | |
23 | 24 | | |
24 | 25 | | |
25 | 26 | | |
| |||
123 | 124 | | |
124 | 125 | | |
125 | 126 | | |
| 127 | + | |
126 | 128 | | |
127 | | - | |
| 129 | + | |
128 | 130 | | |
129 | 131 | | |
130 | 132 | | |
| |||
541 | 543 | | |
542 | 544 | | |
543 | 545 | | |
| 546 | + | |
544 | 547 | | |
545 | 548 | | |
546 | | - | |
| 549 | + | |
547 | 550 | | |
548 | 551 | | |
549 | 552 | | |
| |||
0 commit comments