Skip to content

Spec 29 S2/S3/S4: SSO hardening — OIDC takeover guard, GetSSOLoginURL throttle+GC, SSRF denylist #533

Description

@PaulDotterer

Second-pass audit findings (spec 29):

  • S2 [MED] OIDC auto-link-by-email lacks the SCIM account-takeover guard: idp/linker.go Step 2 links an IdP-asserted email to any existing user (incl. a local password admin) with no HasPassword/TrustEmailAssertions check. Mirror scim/users_create.go:113.
  • S3 [MED] GetSSOLoginURL is public but absent from the rate-limit ladder, and CleanupExpiredAuthStates is never scheduled → unbounded auth_states growth + outbound OIDC-discovery amplification.
  • S4 [MED] Blind SSRF: newBoundedOIDCClient has no net.Dialer.Control denylist and issuer_url is validated only required,url — an insider can point discovery/token URLs at internal addresses.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions