Prevent access to Group SAML metadata/SLO endpoints

These have not been tested with the unique requirements of per-group SAML and have not yet been verified for security In particular, these will likely allow someone to determine if a group exists or not by guessing the name.

Prevent access to Group SAML metadata/SLO endpoints
These have not been tested with the unique requirements of per-group SAML and have not yet been verified for security In particular, these will likely allow someone to determine if a group exists or not by guessing the name.
dab03e73 · James Edwards-Jones · 5a9ee3b0 · dab03e73 · dab03e73
Commit dab03e73 authored May 18, 2018 by James Edwards-Jones
Showing with 38 additions and 2 deletions

ee/lib/omni_auth/strategies/group_saml.rb ee/lib/omni_auth/strategies/group_saml.rb +6 -0

ee/spec/lib/omni_auth/strategies/group_saml_spec.rb ee/spec/lib/omni_auth/strategies/group_saml_spec.rb +32 -2

No files found.
--- a/ee/lib/omni_auth/strategies/group_saml.rb
+++ b/ee/lib/omni_auth/strategies/group_saml.rb
@@ -21,6 +21,12 @@ module OmniAuth
        super
      end

+      # Prevent access to SLO and metadata endpoints
+      # These will need addtional work to securely support
+      def other_phase
+        call_app!
+      end
+
      def self.callback?(env)
        env['PATH_INFO'] =~ Gitlab::PathRegex.saml_callback_regex
      end

--- a/ee/spec/lib/omni_auth/strategies/group_saml_spec.rb
+++ b/ee/spec/lib/omni_auth/strategies/group_saml_spec.rb
@@ -60,7 +60,7 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
      end
    end

-    it 'returns 404 when if group is not found' do
+    it 'returns 404 when the group is not found' do
      expect do
        post "/groups/not-a-group/-/saml/callback", SAMLResponse: saml_response
      end.to raise_error(ActionController::RoutingError)
@@ -92,7 +92,7 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
      end.to raise_error(ActionController::RoutingError)
    end

-    it 'returns 404 when if group is not found' do
+    it 'returns 404 when the group is not found' do
      expect do
        post '/users/auth/group_saml', group_path: 'not-a-group'
      end.to raise_error(ActionController::RoutingError)
@@ -104,4 +104,34 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
      end.to raise_error(ActionController::RoutingError)
    end
  end
+
+  describe 'POST /users/auth/group_saml/metadata' do
+    it 'returns 404 when the group is not found' do
+      post '/users/auth/group_saml/metadata', group_path: 'not-a-group'
+
+      expect(last_response).to be_not_found
+    end
+
+    it 'returns 404 to avoid disclosing group existence' do
+      post '/users/auth/group_saml/metadata', group_path: 'my-group'
+
+      expect(last_response).to be_not_found
+    end
+  end
+
+  describe 'POST /users/auth/group_saml/slo' do
+    it 'returns 404 to avoid disclosing group existence' do
+      post '/users/auth/group_saml/slo', group_path: 'my-group'
+
+      expect(last_response).to be_not_found
+    end
+  end
+
+  describe 'POST /users/auth/group_saml/spslo' do
+    it 'returns 404 to avoid disclosing group existence' do
+      post '/users/auth/group_saml/spslo', group_path: 'my-group'
+
+      expect(last_response).to be_not_found
+    end
+  end
 end