8000 Preserve query parameters when redirecting requests by ahus1 · Pull Request #40490 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Preserve query parameters when redirecting requests #40490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 18, 2025
Merged

Preserve query parameters when redirecting requests #40490

merged 4 commits into from
Jun 18, 2025

Conversation

ahus1
Copy link
Contributor
@ahus1 ahus1 commented Jun 13, 2025

Closes #40489

@ahus1 ahus1 self-assigned this Jun 13, 2025
@ahus1 ahus1 force-pushed the is-40489-handle-query-parameters branch from 0140f31 to f1b7f30 Compare June 13, 2025 20:59
@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover

Keycloak CI - Store IT (mssql)

java.lang.RuntimeException: java.lang.IllegalStateException: Keycloak unexpectedly died :(
	at org.keycloak.testsuite.arquillian.containers.KeycloakQuarkusServerDeployableContainer.start(KeycloakQuarkusServerDeployableContainer.java:71)
	at org.jboss.arquillian.container.impl.ContainerImpl.start(ContainerImpl.java:185)
	at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:137)
	at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:133)
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Jun 13, 2025
View reviewed changes
Copy link
@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@ahus1 ahus1 force-pushed the is-40489-handle-query-parameters branch from f1b7f30 to 3374b32 Compare June 14, 2025 18:36
@ahus1 ahus1 force-pushed the is-40489-handle-query-parameters branch from 3374b32 to 47f1845 Compare June 14, 2025 21:06
@ahus1
Preserve query parameters when redirecting requests
2896fb4 
Also hardening the redirect against uncommon URLs

Closes keycloak#40489

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
@ahus1 ahus1 force-pushed the is-40489-handle-query-parameters branch from 47f1845 to 2896fb4 Compare June 15, 2025 10:59
@ahus1 ahus1 marked this pull request as ready for review June 16, 2025 06:51
@ahus1 ahus1 requested review from a team as code owners June 16, 2025 06:51
ryanemerson
ryanemerson reviewed Jun 16, 2025
View reviewed changes
services/src/main/java/org/keycloak/services/resources/ThemeResource.java Outdated
base = base.substring(0, base.length() - 1);
if (!uriInfo.getRequestUri().toURL().getPath().startsWith(base + UriBuilder.fromResource(ThemeResource.class)
.path("/{version}/").build(version).getPath())) {
log.debugf("No URL encoding should be necessary for the version, returning a 404: %s", uriInfo.getRequestUri().getPath());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that RestEasy will always return the version in decoded form. I'm struggling to understand scenarios where we need this check, can you provide an example?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am trying to prevent situations where someone passes in strange versions in, which then lead to open an open or half-open redirect.

Imagine a version like myversion/../../auth/realm/xxx which is then url-encoded as myversion%2F..%2F..%2Fauth%2Frealm%2Fxxx and passed in as the version URL fragment.

So I'd say everything that is encoded is possibly someone trying to exploit it. And as a version, we only use characters and numbers at the moment. I could add that as a regex check in addition, or as a replacement.

Still, IMHO we need the encoding check for the path.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explaining.

Do we need this first check still given that we only redirect if (!version.equals(Version.RESOURCES_VERSION) && !hasContentHash), won't L123 protect against the scenario you describe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes and no: For that branch, it is. But then there is also the part in line 148, and the fallthrough where there is a content hash and the resource is returned to the caller starting in line 156. For that item, I also don't want to accept just any version.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In L148 we're not checking against the version provided in the url though, we're only comparing the etag and Version.RESOURCES_VERSION. So I don't think an encoded path version can be exploited in this case as a 304 is sent.

Either way, happy to keep the check if you prefer. I do think a regex validating the version would be more explicit though. Adding some additional comments explaining why we're performing these checks would be nice for other contributors.

ryanemerson
ryanemerson reviewed Jun 16, 2025
View reviewed changes
services/src/main/java/org/keycloak/services/resources/ThemeResource.java Outdated
.path("/{version}/{themeType}/{themeName}/{path}")
// The 'path' can contain slashes, so encoding of slashes is set to false
.build(new Object[]{Version.RESOURCES_VERSION, themeType, themeName, path}, false)
redirectUri
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick, but we can fix the formatting here to be a one-liner or:

                    return Response
                          .temporaryRedirect(redirectUri)
                          .build();

ahus1 added 2 commits June 16, 2025 12:46
@ahus1
Review comments addressed
4e3ec58 
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
@ahus1
Review comments addressed
98a9a95 
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
@ahus1 ahus1 requested a review from ryanemerson June 16, 2025 10:47
@ahus1
Copy link
Contributor Author
ahus1 commented Jun 16, 2025

Thank you. Your review comments should now be addressed.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 16, 2025
View reviewed changes
services/src/main/java/org/keycloak/services/resources/ThemeResource.java
// The 'path' can contain slashes, so encoding of slashes is set to false
.build(new Object[]{Version.RESOURCES_VERSION, themeType, themeName, path}, false)
).build();
return Response.temporaryRedirect(redirectUri)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
@ahus1
Copy link
Contributor Author
ahus1 commented Jun 16, 2025

I see the CI is failing ... looking at it now.

@ryanemerson ryanemerson self-requested a review June 16, 2025 11:17
@ahus1
Fixing a test
2b16aed 
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
@ahus1
Copy link
Contributor Author
ahus1 commented Jun 16, 2025

@ryanemerson - ok, test is no fixed. Sorry for the noise. Please re-review. Thanks!

@ahus1 ahus1 enabled auto-merge (squash) June 16, 2025 15:56
@ahus1
Copy link
Contributor Author
ahus1 commented Jun 16, 2025

@mhajas - can you please approve based on Ryan's review? Thanks!

mhajas
mhajas approved these changes Jun 18, 2025
View reviewed changes
Copy link
Contributor
@mhajas mhajas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving based on the review from @ryanemerson

@ahus1 ahus1 merged commit efb1e09 into keycloak:main Jun 18, 2025
76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

@ryanemerson ryanemerson ryanemerson approved these changes

@mhajas mhajas mhajas approved these changes

Assignees

@ahus1 ahus1

@mhajas mhajas

Labels
flaky-test team/cloud-native team/core-clients team/core-iam
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

When redirecting old resource versions, keep query parameters
3 participants
@ahus1 @ryanemerson @mhajas
0