20264: Reject redirect target with userinfo.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 18537b202f6c5c63ff2a5e027eb0402f767acac9..f9b968a705255408132bb6449885c33356728cd2 100644 (file)
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -164,6 +164,8 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st
        return
 }
 
+var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo")
+
 func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error {
        u, err := url.Parse(returnTo)
        if err != nil {
@@ -173,6 +175,9 @@ func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) erro
        if err != nil {
                return err
        }
+       if u.User != nil {
+               return errUserinfoInRedirectTarget
+       }
        target := origin(*u)
        for trusted := range cluster.Login.TrustedClients {
                trustedOrigin := origin(url.URL(trusted))