Skip to content

Commit

Permalink
check that an FQDN belongs to a known app before redirecting to it (#…
Browse files Browse the repository at this point in the history
…44188)

Fixes gravitational/teleport-private#1492, updates gravitational/teleport-private#1418.

Co-authored-by: Andrew LeFevre <Andrew LeFevre>
  • Loading branch information
capnspacehook authored Jul 16, 2024
1 parent 7afa583 commit eb51e49
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 6 deletions.
20 changes: 14 additions & 6 deletions web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ describe('app launcher path is properly formed', () => {
global.fetch = jest.fn(() => Promise.resolve({})) as jest.Mock;
jest.spyOn(api, 'get').mockResolvedValue({});
jest.spyOn(api, 'post').mockResolvedValue({});
jest.spyOn(service, 'getAppFqdn').mockResolvedValue({
fqdn: 'grafana.localhost',
});
jest.spyOn(service, 'createAppSession').mockResolvedValue({
cookieValue: 'cookie-value',
subjectCookieValue: 'subject-cookie-value',
Expand Down Expand Up @@ -115,7 +118,10 @@ describe('app launcher path is properly formed', () => {
);
});

test('arn is url decoded', () => {
test('arn is url decoded', async () => {
jest.spyOn(service, 'getAppFqdn').mockResolvedValue({
fqdn: 'test-app.test.teleport',
});
jest.spyOn(service, 'createAppSession');

const launcherPath =
Expand All @@ -132,11 +138,13 @@ describe('app launcher path is properly formed', () => {
</Router>
);

expect(service.createAppSession).toHaveBeenCalledWith({
fqdn: 'test-app.test.teleport',
clusterId: 'test.teleport',
publicAddr: 'test-app.test.teleport',
arn: 'arn:aws:iam::joe123:role/EC2FullAccess',
await waitFor(() => {
expect(service.createAppSession).toHaveBeenCalledWith({
fqdn: 'test-app.test.teleport',
clusterId: 'test.teleport',
publicAddr: 'test-app.test.teleport',
arn: 'arn:aws:iam::joe123:role/EC2FullAccess',
});
});
});
});
15 changes: 15 additions & 0 deletions web/packages/teleport/src/AppLauncher/AppLauncher.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,21 @@ export function AppLauncher() {
const port = location.port ? `:${location.port}` : '';

try {
// Attempt to resolve the fqdn of the app, if we can't then an error
// will be returned preventing a redirect to a potentially arbitrary
// address. Compare the resolved fqdn with the one that was passed,
// if they don't match then the public address was used to find the
// resolved fqdn, and the passed fdqn isn't valid.
const resolvedApp = await service.getAppFqdn({
fqdn: params.fqdn,
clusterId: params.clusterId,
publicAddr: params.publicAddr,
arn: params.arn,
});
if (resolvedApp.fqdn !== params.fqdn) {
throw Error(`Failed to match applications with FQDN ${params.fqdn}`);
}

let path = '';
if (queryParams.has('path')) {
path = queryParams.get('path');
Expand Down

0 comments on commit eb51e49

Please sign in to comment.