1

iQQBot · ona-agent · iQQBot · commit df392be08a20 · 2025-07-30T10:52:50.000Z
Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/components/server/src/auth/authenticator.ts b/components/server/src/auth/authenticator.ts
@@ -7,6 +7,7 @@
 import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TeamDB } from "@gitpod/gitpod-db/lib";
 import { User } from "@gitpod/gitpod-protocol";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
 import express from "express";
 import { inject, injectable, postConstruct } from "inversify";
 import passport from "passport";
@@ -21,6 +22,82 @@ import { SignInJWT } from "./jwt";
 import { NonceService } from "./nonce-service";
 import { ensureUrlHasFragment } from "./fragment-utils";
 
+/**
+ * Common validation logic for returnTo URLs.
+ * @param returnTo The URL to validate
+ * @param hostUrl The host URL configuration
+ * @param allowedPatterns Array of regex patterns that are allowed for the pathname
+ * @returns true if the URL is valid, false otherwise
+ */
+function validateReturnToUrlWithPatterns(returnTo: string, hostUrl: GitpodHostUrl, allowedPatterns: RegExp[]): boolean {
+    try {
+        const url = new URL(returnTo);
+        const baseUrl = hostUrl.url;
+
+        // Must be same origin OR www.gitpod.io exception
+        const isSameOrigin = url.origin === baseUrl.origin;
+        const isGitpodWebsite = url.protocol === "https:" && url.hostname === "www.gitpod.io";
+
+        if (!isSameOrigin && !isGitpodWebsite) {
+            return false;
+        }
+
+        // For www.gitpod.io, only allow root path
+        if (isGitpodWebsite) {
+            return url.pathname === "/";
+        }
+
+        // Check if pathname matches any allowed pattern
+        const isAllowedPath = allowedPatterns.some((pattern) => pattern.test(url.pathname));
+        if (!isAllowedPath) {
+            return false;
+        }
+
+        // For complete-auth, require ONLY message parameter (used by OAuth flows)
+        if (url.pathname === "/complete-auth") {
+            const searchParams = new URLSearchParams(url.search);
+            const paramKeys = Array.from(searchParams.keys());
+            return paramKeys.length === 1 && paramKeys[0] === "message" && searchParams.has("message");
+        }
+
+        return true;
+    } catch (error) {
+        // Invalid URL
+        return false;
+    }
+}
+
+/**
+ * Validates returnTo URLs for login API endpoints.
+ * Login API allows broader navigation after authentication.
+ */
+export function validateLoginReturnToUrl(returnTo: string, hostUrl: GitpodHostUrl): boolean {
+    const allowedPatterns = [
+        // We have already verified the domain above, and we do not restrict the redirect location for loginReturnToUrl.
+        /^\/.*$/,
+    ];
+
+    return validateReturnToUrlWithPatterns(returnTo, hostUrl, allowedPatterns);
+}
+
+/**
+ * Validates returnTo URLs for authorize API endpoints.
+ * Authorize API allows complete-auth callbacks and dashboard pages for scope elevation.
+ */
+export function validateAuthorizeReturnToUrl(returnTo: string, hostUrl: GitpodHostUrl): boolean {
+    const allowedPatterns = [
+        // 1. complete-auth callback for OAuth popup windows
+        /^\/complete-auth$/,
+
+        // 2. Dashboard pages (for scope elevation flows)
+        /^\/$/, // Root
+        /^\/new$/, // Create workspace page
+        /^\/quickstart$/, // Quickstart page
+    ];
+
+    return validateReturnToUrlWithPatterns(returnTo, hostUrl, allowedPatterns);
+}
+
 @injectable()
 export class Authenticator {
     protected passportInitialize: express.Handler;
@@ -192,6 +269,13 @@ export class Authenticator {
         let returnToParam: string | undefined = req.query.returnTo?.toString();
         if (returnToParam) {
             log.info(`Stored returnTo URL: ${returnToParam}`, { "login-flow": true });
+
+            // Validate returnTo URL against allowlist for login API
+            if (!validateLoginReturnToUrl(returnToParam, this.config.hostUrl)) {
+                log.warn(`Invalid returnTo URL rejected for login: ${returnToParam}`, { "login-flow": true });
+                res.redirect(this.getSorryUrl(`Invalid return URL.`));
+                return;
+            }
         }
         // returnTo defaults to workspaces url
         const workspaceUrl = this.config.hostUrl.asDashboard().toString();
@@ -306,6 +390,13 @@ export class Authenticator {
             return;
         }
 
+        // Validate returnTo URL against allowlist for authorize API
+        if (!validateAuthorizeReturnToUrl(returnToParam, this.config.hostUrl)) {
+            log.warn(`Invalid returnTo URL rejected for authorize: ${returnToParam}`, { "authorize-flow": true });
+            res.redirect(this.getSorryUrl(`Invalid return URL.`));
+            return;
+        }
+
         // Ensure returnTo URL has a fragment to prevent OAuth token inheritance attacks
         const returnTo = ensureUrlHasFragment(returnToParam);
 
diff --git a/components/server/src/auth/return-to-validation.spec.ts b/components/server/src/auth/return-to-validation.spec.ts
@@ -0,0 +1,255 @@
+/**
+ * Copyright (c) 2024 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { expect } from "chai";
+import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
+import { validateLoginReturnToUrl, validateAuthorizeReturnToUrl } from "./authenticator";
+
+describe("ReturnTo URL Validation", () => {
+    const hostUrl = new GitpodHostUrl("https://gitpod.io");
+
+    describe("validateLoginReturnToUrl", () => {
+        it("should accept any valid path after domain validation", () => {
+            const validUrls = [
+                "https://gitpod.io/",
+                "https://gitpod.io/workspaces",
+                "https://gitpod.io/workspaces/123",
+                "https://gitpod.io/settings",
+                "https://gitpod.io/settings/integrations",
+                "https://gitpod.io/user-settings",
+                "https://gitpod.io/user-settings/account",
+                "https://gitpod.io/integrations",
+                "https://gitpod.io/integrations/github",
+                "https://gitpod.io/repositories",
+                "https://gitpod.io/repositories/123",
+                "https://gitpod.io/prebuilds",
+                "https://gitpod.io/prebuilds/456",
+                "https://gitpod.io/members",
+                "https://gitpod.io/billing",
+                "https://gitpod.io/usage",
+                "https://gitpod.io/insights",
+                "https://gitpod.io/new",
+                "https://gitpod.io/login",
+                "https://gitpod.io/login/org-slug",
+                "https://gitpod.io/quickstart",
+                "https://gitpod.io/admin", // Now allowed since login doesn't restrict paths
+                "https://gitpod.io/api/workspace", // Now allowed
+                "https://gitpod.io/any-path", // Any path is allowed
+            ];
+
+            validUrls.forEach((url) => {
+                const result = validateLoginReturnToUrl(url, hostUrl);
+                expect(result).to.equal(true, `Should accept valid login URL: ${url}`);
+            });
+        });
+
+        it("should accept complete-auth with ONLY message parameter", () => {
+            const validCompleteAuthUrls = [
+                "https://gitpod.io/complete-auth?message=success:123",
+                "https://gitpod.io/complete-auth?message=success",
+            ];
+
+            validCompleteAuthUrls.forEach((url) => {
+                const result = validateLoginReturnToUrl(url, hostUrl);
+                expect(result).to.equal(true, `Should accept complete-auth with only message: ${url}`);
+            });
+        });
+
+        it("should reject complete-auth with additional parameters", () => {
+            const invalidCompleteAuthUrls = [
+                "https://gitpod.io/complete-auth?message=success&other=param",
+                "https://gitpod.io/complete-auth?other=param&message=success",
+                "https://gitpod.io/complete-auth",
+                "https://gitpod.io/complete-auth?other=param",
+                "https://gitpod.io/complete-auth?msg=success", // Wrong parameter name
+            ];
+
+            invalidCompleteAuthUrls.forEach((url) => {
+                const result = validateLoginReturnToUrl(url, hostUrl);
+                expect(result).to.equal(false, `Should reject complete-auth with extra params: ${url}`);
+            });
+        });
+
+        it("should accept www.gitpod.io root only", () => {
+            const result = validateLoginReturnToUrl("https://www.gitpod.io/", hostUrl);
+            expect(result).to.equal(true, "Should accept www.gitpod.io root");
+
+            const invalidWwwUrls = [
+                "https://www.gitpod.io/workspaces",
+                "https://www.gitpod.io/login",
+                "http://www.gitpod.io/", // Wrong protocol
+            ];
+
+            invalidWwwUrls.forEach((url) => {
+                const result = validateLoginReturnToUrl(url, hostUrl);
+                expect(result).to.equal(false, `Should reject www.gitpod.io non-root: ${url}`);
+            });
+        });
+    });
+
+    describe("validateAuthorizeReturnToUrl", () => {
+        it("should accept only specific allowlisted paths", () => {
+            const validUrls = [
+                "https://gitpod.io/", // Root
+                "https://gitpod.io/new", // Create workspace page
+                "https://gitpod.io/quickstart", // Quickstart page
+            ];
+
+            validUrls.forEach((url) => {
+                const result = validateAuthorizeReturnToUrl(url, hostUrl);
+                expect(result).to.equal(true, `Should accept valid authorize URL: ${url}`);
+            });
+        });
+
+        it("should accept complete-auth with ONLY message parameter", () => {
+            const validCompleteAuthUrls = [
+                "https://gitpod.io/complete-auth?message=success:123",
+                "https://gitpod.io/complete-auth?message=success",
+            ];
+
+            validCompleteAuthUrls.forEach((url) => {
+                const result = validateAuthorizeReturnToUrl(url, hostUrl);
+                expect(result).to.equal(true, `Should accept complete-auth with only message: ${url}`);
+            });
+        });
+
+        it("should reject paths not in authorize allowlist", () => {
+            const rejectedUrls = [
+                "https://gitpod.io/workspaces",
+                "https://gitpod.io/workspaces/123",
+                "https://gitpod.io/user-settings",
+                "https://gitpod.io/integrations",
+                "https://gitpod.io/prebuilds",
+                "https://gitpod.io/members",
+                "https://gitpod.io/billing",
+                "https://gitpod.io/usage",
+                "https://gitpod.io/insights",
+                "https://gitpod.io/login",
+                "https://gitpod.io/settings",
+                "https://gitpod.io/repositories",
+                "https://gitpod.io/admin",
+                "https://gitpod.io/api/workspace",
+            ];
+
+            rejectedUrls.forEach((url) => {
+                const result = validateAuthorizeReturnToUrl(url, hostUrl);
+                expect(result).to.equal(false, `Should reject authorize URL: ${url}`);
+            });
+        });
+
+        it("should accept www.gitpod.io root only", () => {
+            const result = validateAuthorizeReturnToUrl("https://www.gitpod.io/", hostUrl);
+            expect(result).to.equal(true, "Should accept www.gitpod.io root");
+        });
+    });
+
+    describe("Common validation tests", () => {
+        it("should reject different origins", () => {
+            const invalidOriginUrls = [
+                "https://evil.com/workspaces",
+                "http://gitpod.io/workspaces", // Different protocol
+                "https://gitpod.io:8080/workspaces", // Different port
+                "https://subdomain.gitpod.io/workspaces", // Different subdomain
+            ];
+
+            invalidOriginUrls.forEach((url) => {
+                expect(validateLoginReturnToUrl(url, hostUrl)).to.equal(false, `Login should reject: ${url}`);
+                expect(validateAuthorizeReturnToUrl(url, hostUrl)).to.equal(false, `Authorize should reject: ${url}`);
+            });
+        });
+
+        it("should have different path restrictions for login vs authorize", () => {
+            const pathsAllowedInLoginOnly = [
+                "https://gitpod.io/admin",
+                "https://gitpod.io/workspace-123",
+                "https://gitpod.io/api/workspace",
+                "https://gitpod.io/workspaces",
+                "https://gitpod.io/settings",
+                "https://gitpod.io/any-arbitrary-path",
+            ];
+
+            pathsAllowedInLoginOnly.forEach((url) => {
+                expect(validateLoginReturnToUrl(url, hostUrl)).to.equal(true, `Login should allow: ${url}`);
+                expect(validateAuthorizeReturnToUrl(url, hostUrl)).to.equal(false, `Authorize should reject: ${url}`);
+            });
+        });
+
+        it("should reject invalid URLs", () => {
+            const invalidUrls = [
+                "not-a-url",
+                "javascript:alert('xss')",
+                "data:text/html,<script>alert('xss')</script>",
+                "",
+                "//evil.com/workspaces",
+                "ftp://gitpod.io/workspaces",
+            ];
+
+            invalidUrls.forEach((url) => {
+                expect(validateLoginReturnToUrl(url, hostUrl)).to.equal(false, `Login should reject: ${url}`);
+                expect(validateAuthorizeReturnToUrl(url, hostUrl)).to.equal(false, `Authorize should reject: ${url}`);
+            });
+        });
+
+        it("should work with different host configurations", () => {
+            const previewHostUrl = new GitpodHostUrl("https://preview.gitpod-dev.com");
+
+            // Login should accept any path on same origin
+            const validLoginUrls = [
+                "https://preview.gitpod-dev.com/workspaces",
+                "https://preview.gitpod-dev.com/complete-auth?message=success",
+                "https://preview.gitpod-dev.com/any-path",
+            ];
+
+            validLoginUrls.forEach((url) => {
+                expect(validateLoginReturnToUrl(url, previewHostUrl)).to.equal(true, `Login should accept: ${url}`);
+            });
+
+            // Authorize should only accept allowlisted paths
+            const validAuthorizeUrls = [
+                "https://preview.gitpod-dev.com/", // Root
+                "https://preview.gitpod-dev.com/new", // Create workspace page
+                "https://preview.gitpod-dev.com/quickstart", // Quickstart page
+                "https://preview.gitpod-dev.com/complete-auth?message=success",
+            ];
+
+            validAuthorizeUrls.forEach((url) => {
+                expect(validateAuthorizeReturnToUrl(url, previewHostUrl)).to.equal(
+                    true,
+                    `Authorize should accept: ${url}`,
+                );
+            });
+
+            // Should reject /workspaces for authorize since it's not in allowlist
+            expect(validateAuthorizeReturnToUrl("https://preview.gitpod-dev.com/workspaces", previewHostUrl)).to.equal(
+                false,
+            );
+
+            // Should reject URLs for different hosts
+            expect(validateLoginReturnToUrl("https://gitpod.io/workspaces", previewHostUrl)).to.equal(false);
+            expect(validateAuthorizeReturnToUrl("https://gitpod.io/workspaces", previewHostUrl)).to.equal(false);
+        });
+
+        it("should validate www.gitpod.io specifically", () => {
+            // Test with production gitpod.io
+            const prodHostUrl = new GitpodHostUrl("https://gitpod.io");
+            expect(validateLoginReturnToUrl("https://www.gitpod.io/", prodHostUrl)).to.equal(true);
+            expect(validateAuthorizeReturnToUrl("https://www.gitpod.io/", prodHostUrl)).to.equal(true);
+
+            // Test with different deployment - www.gitpod.io should still work as it's hardcoded
+            const customHostUrl = new GitpodHostUrl("https://gitpod.example.com");
+            expect(validateLoginReturnToUrl("https://www.gitpod.io/", customHostUrl)).to.equal(true);
+            expect(validateAuthorizeReturnToUrl("https://www.gitpod.io/", customHostUrl)).to.equal(true);
+
+            // Test that other www subdomains don't work
+            expect(validateLoginReturnToUrl("https://www.gitpod.example.com/", prodHostUrl)).to.equal(false);
+            expect(validateAuthorizeReturnToUrl("https://www.gitpod.example.com/", prodHostUrl)).to.equal(false);
+
+            // Test domain injection prevention
+            expect(validateLoginReturnToUrl("https://www.gitpod.io.evil.com/", prodHostUrl)).to.equal(false);
+            expect(validateAuthorizeReturnToUrl("https://www.gitpod.io.evil.com/", prodHostUrl)).to.equal(false);
+        });
+    });
+});
diff --git a/components/server/src/user/user-controller.ts b/components/server/src/user/user-controller.ts
