External redirects allowed

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

Stratos should validate redirects passed as query parameters on login

Actual behaviour

Stratos redirects to any url upon login

Steps to reproduce the behavior

1. log in to stratos
2. go to https://`your stratos url/pp/v1/auth/sso_login?state=some url that is not stratos`

Context

This is a security vulnerability. An attacker could use a specially-crafted url that looks trusted to a user. When the user clicks on the url, they could be taken to a nefarious site. This can also make phishing attempts more convincing by using trusted urls. More details on why this is bad available from OWASP

Possible Implementation

I think this is happening here: https://github.com/cloudfoundry-incubator/stratos/blob/v2-master/src/jetstream/auth.go#L196

I think the best implementation here is to have a whitelist of safe redirect hosts, or to not follow redirects from the url at all.