Closed jeffmahoney closed 2 years ago
I was able to crash Velociraptor by requesting the github authenticator callback URL directly with e.g. curl https://vrrserver/auth/github/callback
It turns out that there was no error handling if there is no 'oauthstate' cookie provided as part of the request and we hit a nil pointer dereference panic. The Google and Azure authenticators had the same issue.
This commit fixes all three and resolves #1999.
I was able to crash Velociraptor by requesting the github authenticator callback URL directly with e.g. curl https://vrrserver/auth/github/callback
It turns out that there was no error handling if there is no 'oauthstate' cookie provided as part of the request and we hit a nil pointer dereference panic. The Google and Azure authenticators had the same issue.
This commit fixes all three and resolves #1999.