Validate Okta issuer URLs before use#41
Conversation
Add the local keyserver service, CLI publish/login/fetch commands, compose smoke wiring, and tests as a reviewable baseline for the security hardening work stacked above it. Constraint: Security fixes for issues #30-#34 target files that are not yet present on main. Rejected: Fold all security fixes into one PR | would make review and issue closure harder. Confidence: medium Scope-risk: broad Directive: Review this foundation before merging stacked hardening PRs into main. Tested: PYTHONPATH=. python3 -m unittest discover keyserver/tests; env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./... Not-tested: Docker compose smoke test was not run locally.
Both the CLI and keyserver now parse and reject unsafe Okta issuer URLs before constructing OAuth or userinfo endpoints, preventing token exchange against non-HTTPS, localhost, private-network, or query-injected issuers. Constraint: Validation must stay dependency-free and avoid DNS lookups during local command execution. Rejected: Resolve DNS to classify private networks | adds latency and can create surprising network access during validation. Confidence: high Scope-risk: moderate Directive: Do not build OAuth endpoints by raw string concatenation before issuer validation. Tested: env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...; PYTHONPATH=. python3 -m unittest discover keyserver/tests Related: #31
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR implements comprehensive validation for Okta issuer URLs in both the CLI and keyserver to prevent security vulnerabilities including downgrade attacks, SSRF, and URL manipulation. The implementation includes proper error handling, consistent validation logic across Go and Python implementations, and thorough test coverage for both valid and invalid cases. The security validations correctly reject non-HTTPS URLs, localhost/private/link-local IPs, and URLs with query/fragment components while accepting valid HTTPS URLs. No blocking defects identified.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
Closing because this was opened against the wrong repository. The security triage is being redone against companyjupiter/quarkify. |
1 participant
Summary
Closes #31.
Validation
env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...PYTHONPATH=. python3 -m unittest discover keyserver/tests