Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsanitised endpoints string formatting #306

Open
cedws opened this issue May 30, 2022 · 2 comments
Open

Unsanitised endpoints string formatting #306

cedws opened this issue May 30, 2022 · 2 comments
Labels
bug Something isn't working no-stalebot

Comments

@cedws
Copy link

cedws commented May 30, 2022

Describe the bug?

There are various methods in the SDK which take a string parameter and format an endpoint URL. Take this method for example:

okta-sdk-golang/okta/user.go

Lines 72 to 91 in 3e87373

// Fetches a user from your Okta organization.
func (m *UserResource) GetUser(ctx context.Context, userId string) (*User, *Response, error) {
url := fmt.Sprintf("/api/v1/users/%v", userId)
rq := m.client.CloneRequestExecutor()
req, err := rq.WithAccept("application/json").WithContentType("application/json").NewRequest("GET", url, nil)
if err != nil {
return nil, nil, err
}
var user *User
resp, err := rq.Do(ctx, req, &user)
if err != nil {
return nil, resp, err
}
return user, resp, nil
}

A username is taken as a parameter and appended to /api/v1/users/. This could be an issue because the username is not sanitised. If the attacker controls this input it would be possible to call another endpoint by passing something such as fakeuser/grants, fakeusers/groups, or any other endpoint that accepts GET requests. This principle could be used to perform other operations like POST/PUT requests.

This could be dangerous if a consumer of the SDK is not aware that they need to pre-sanitise. In the real world, we can imagine an internal web page for looking up Okta users. A form sends a username to the backend which is passed into GetUser(). Somebody able to access the web page might be able to send crafted inputs to potentially obtain information they shouldn't be able to or perform administrative actions.

What is expected to happen?

The SDK should convey that consumers are expected to sanitise strings to prevent manipulation of endpoint URLs.

What is the actual behavior?

The SDK is vulnerable to manipulation of endpoint URLs via unsanitised input.

Reproduction Steps?

Proof of concept code:

package main

import (
        "context"
        "fmt"
        "github.com/okta/okta-sdk-golang/v2/okta"
)

func main() {
        _, oktaClient, _ := okta.NewClient(
                context.TODO(),
                okta.WithOrgUrl(OKTA_ORG),
                okta.WithToken(OKTA_TOKEN),
        )

        user, resp, err := oktaClient.User.GetUser(ctx, "fakeuser/groups")
        fmt.Printf("%+v %+v %+v\n", user, resp, err)
}

Additional Information?

No response

Golang Version

N/A

SDK Version

v2.12.1

OS version

No response
@cedws cedws added the bug Something isn't working label May 30, 2022
@laura-rodriguez
Copy link
Collaborator

Hi @cedws,

Thanks for reporting this issue. Someone from our team will review it soon.

cc @MikeMondragon-okta

@monde monde self-assigned this May 31, 2022
@github-actions
Copy link

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

@github-actions github-actions bot added the stale label Jun 16, 2022
@monde monde added no-stalebot and removed stale labels Jun 22, 2022
@monde monde removed their assignment Aug 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working no-stalebot
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@monde @laura-rodriguez @cedws