search

okta / okta-sdk-golang

A Golang SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
https://github.com/okta/okta-sdk-golang
Other
175 stars 143 forks source link

Unsanitised endpoints string formatting #306

Open cedws opened 2 years ago

cedws commented 2 years ago

Describe the bug?

There are various methods in the SDK which take a string parameter and format an endpoint URL. Take this method for example:

https://github.com/okta/okta-sdk-golang/blob/3e873731bbcce66c8f44e7f8051166c8c17ed155/okta/user.go#L72-L91

A username is taken as a parameter and appended to /api/v1/users/. This could be an issue because the username is not sanitised. If the attacker controls this input it would be possible to call another endpoint by passing something such as fakeuser/grants, fakeusers/groups, or any other endpoint that accepts GET requests. This principle could be used to perform other operations like POST/PUT requests.

This could be dangerous if a consumer of the SDK is not aware that they need to pre-sanitise. In the real world, we can imagine an internal web page for looking up Okta users. A form sends a username to the backend which is passed into GetUser(). Somebody able to access the web page might be able to send crafted inputs to potentially obtain information they shouldn't be able to or perform administrative actions.

What is expected to happen?

The SDK should convey that consumers are expected to sanitise strings to prevent manipulation of endpoint URLs.

What is the actual behavior?

The SDK is vulnerable to manipulation of endpoint URLs via unsanitised input.

Reproduction Steps?

Proof of concept code:

package main

import (
        "context"
        "fmt"
        "github.com/okta/okta-sdk-golang/v2/okta"
)

func main() {
        _, oktaClient, _ := okta.NewClient(
                context.TODO(),
                okta.WithOrgUrl(OKTA_ORG),
                okta.WithToken(OKTA_TOKEN),
        )

        user, resp, err := oktaClient.User.GetUser(ctx, "fakeuser/groups")
        fmt.Printf("%+v %+v %+v\n", user, resp, err)
}

Additional Information?

No response

Golang Version

N/A

SDK Version

v2.12.1

OS version

No response

laura-rodriguez commented 2 years ago

Hi @cedws,

Thanks for reporting this issue. Someone from our team will review it soon.

cc @MikeMondragon-okta

github-actions[bot] commented 2 years ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.