Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

platform(general): Double-Encode URI for RelayState Parameter #6302

Merged
merged 8 commits into from
May 16, 2024
Merged

platform(general): Double-Encode URI for RelayState Parameter #6302

merged 8 commits into from
May 16, 2024

Conversation

SimOnPanw
Copy link
Contributor

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

This pull request addresses an issue where the Identity Provider (IDP) was stripping information from the RelayState parameter if it was not double-encoded. The change ensures that the URI is correctly double-encoded before being passed as the RelayState parameter, thus preserving the full URI information.

Testing:
Verified that the double-encoded URI is correctly passed as the RelayState parameter.
Confirmed that the IDP retains the full information of the RelayState parameter without stripping any part of the URI.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@mikeurbanski1
Copy link
Contributor

@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?

@SimOnPanw
Copy link
Contributor Author

@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?

@mikeurbanski1, Yes, it used to work. I noticed some changes when we changed the landing pages from /project to /home/appsec/projects, but I could not pinpoint the issue at that moment. It was only when a customer raised the issue that we further troubleshot and discovered that Azure IDP was stripping information from the URL.

@mikeurbanski1
Copy link
Contributor

@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?

@mikeurbanski1, Yes, it used to work. I noticed some changes when we changed the landing pages from /project to /home/appsec/projects, but I could not pinpoint the issue at that moment. It was only when a customer raised the issue that we further troubleshot and discovered that Azure IDP was stripping information from the URL.

Ok. I guess my concern here is whether this fix will be universal. I don't really have a way to test it and my memory for SSO flow details is weak.

@mikeurbanski1 mikeurbanski1 merged commit f4a4f3e into bridgecrewio:main May 16, 2024
37 of 38 checks passed
shoshiGit pushed a commit to shoshiGit/shoshi-wolpe-checkov that referenced this pull request May 16, 2024
@SimOnPanw @actions-user
platform(general): Double-Encode URI for RelayState Parameter (bridge…
056a656 
…crewio#6302)

* Add URI double encoding for the report url

* fix flake8

* Install urllib3 and update Pipfile and Pipfile.lock

* Install urllib3 and update Pipfile and Pipfile.lock

* delete results.sarif

* Add urllib3 in setup.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikeurbanski1 mikeurbanski1 mikeurbanski1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@SimOnPanw @mikeurbanski1