Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request parameterizes the Entra IDP URL, allowing it to be configured instead of being hardcoded. However, the current implementation introduces significant security risks, including the use of unencrypted HTTP which can lead to sensitive bearer token leakage, and vulnerability to OData injection due to improper escaping of user-supplied input in filter constructions. Additionally, a critical type safety issue exists where a constant string is assigned to a non-constant pointer, potentially causing a crash. These issues should be addressed by enforcing HTTPS, implementing proper sanitization for OData filters, and safely duplicating strings to resolve the type safety problem.
src/oidc_child/oidc_child_id.c
Outdated
| if (*base_url == '\0' || strncasecmp(base_url, "http", 4) != 0) { | ||
| DEBUG(SSSDBG_OP_FAILURE, "Colon supplied in %s but no url supplied.\n", | ||
| idp_type); | ||
| return EINVAL; | ||
| } |
There was a problem hiding this comment.
The base_url override allows the use of unencrypted HTTP (e.g., entra_id:http://...). When an HTTP URL is provided, the bearer_token (a sensitive credential) is transmitted in cleartext over the network. For a cloud service like Entra ID (Microsoft Graph), there is rarely a legitimate reason to use plain HTTP, and allowing it exposes the system to credential theft via man-in-the-middle (MITM) attacks. The code should enforce the use of HTTPS for the base URL.
| case GET_USER: | ||
| case GET_USER_GROUPS: | ||
| uri = talloc_asprintf(rest_ctx, "https://graph.microsoft.com/v1.0/users?$filter=%s", filter_enc); | ||
| uri = talloc_asprintf(rest_ctx, "%s/users?$filter=%s", base_url, filter_enc); |
There was a problem hiding this comment.
The input variable, which contains user-supplied data (such as a username or group name), is used to construct OData filter strings (e.g., at lines 84, 87, 95, 102, 105) without any sanitization or escaping of single quotes. Although the resulting filter is later URL-encoded, the OData logic itself remains vulnerable. An attacker can provide a crafted input containing single quotes (e.g., user') or (1 eq 1) to break out of the filter's quoting and inject arbitrary OData expressions. This could allow an attacker to manipulate identity lookups, potentially leading to unauthorized access or privilege escalation if the system relies on the lookup results for authorization decisions.
|
Is this ready for review or do you plan to work more on this? |
|
pretty much ready besides some docs additions, pending CI fixes |
alexey-tikhonov
added
Waiting for review
no-backport
pbrezina
left a comment
pbrezina
left a comment
There was a problem hiding this comment.
Hi, would you mind refactoring the code a bit? The keycloak and entraid functions currently take idp_type parameter that was used only in keycloak to get the base url, the same you do in entraid_lookup now.
It would be nice if you could write a separate function to parse the idp_type into base_url, call this function from oidc_get_id and provide base_url as parameter to the lookup functions (NULL means use default value (entryid) or error out (keycloak)).
src/oidc_child/oidc_child_id.c
Outdated
| "https://graph.microsoft.com/v1.0/users/%s/getMemberGroups", | ||
| obj_id); | ||
| uri = talloc_asprintf(rest_ctx, "%s/users/%s/getMemberGroups", | ||
| base_url, obj_id); |
|
Sounds good, will update PR shortly today or tomorrow. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Note: Covscan is green. |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces the parse_base_url_from_idp_type function to extract and normalize base URLs from the idp_type string, enabling configurable API endpoints for Entra ID and Keycloak. The entra_id_lookup and keycloak_lookup functions were updated to utilize these dynamic base URLs. A critical issue was identified in the logic for stripping trailing slashes, which could incorrectly truncate URLs that only contain a scheme, such as "https://".
pbrezina
left a comment
pbrezina
left a comment
There was a problem hiding this comment.
Hi, thank you for the changes.
Can you squash it into a single commit and adhere to our commit template: https://github.com/SSSD/sssd/blob/master/.git-commit-template
Maybe even adding a :feature: release note to it (explained in the commit template).
src/oidc_child/oidc_child_id.c
Outdated
| if (base_url == NULL) { | ||
| base_url = talloc_strdup(mem_ctx, "https://graph.microsoft.com/v1.0"); | ||
| if (base_url == NULL) { | ||
| ret = ENOMEM; | ||
| goto done; | ||
| } | ||
| } |
There was a problem hiding this comment.
I'd move this to entra_id_lookup.
pbrezina
left a comment
pbrezina
left a comment
There was a problem hiding this comment.
Hi, thank you. See one more minor thing inline.
Additionally, we need to rewrite the release note a little:
idp_type
:feature: `idp_type` option allows entra_idp url to be specified if user is using a
different microsoft entra endpoint.
Can you also update manual page saying it is not needed but possible? https://github.com/SSSD/sssd/blob/master/src/man/sssd-idp.5.xml#L62
Thank you.
src/oidc_child/oidc_child_id.c
Outdated
| if (base_url == NULL) { | ||
| DEBUG(SSSDBG_OP_FAILURE, "Missing base URL in IdP type [%s].\n", | ||
| idp_type); | ||
| ret = EINVAL; | ||
| goto done; | ||
| } |
There was a problem hiding this comment.
I missed this one previously, sorry. Can you move it to keycloak_lookup?
ezrizhu
force-pushed
the
master
branch
2 times, most recently
from
af4f7d6 to
a12ebb0
Compare
sumit-bose
left a comment
sumit-bose
left a comment
There was a problem hiding this comment.
Hi,
thank you, I have no further comments, ACK.
bye,
Sumit
|
I'll push the manpage updates sometime today aswell edit: done |
|
Hi, thank you for updating the man page, looks good. bye, |
pbrezina
left a comment
pbrezina
left a comment
There was a problem hiding this comment.
Thank you for your changes. Ack.
|
Thanks for the reviews, the one CI failure appears to be unrelated(?) Please let me know if anything else is needed on my end. Have a good rest of your weeks |
Creates a function to extract the idp url from idp_type instead of using hardcoded entra url due to GCC High Entra instances using a different url. Resolves: SSSD#8446 idp_type :feature: `idp_type` option allows entra_idp url to be specified if user is using a different microsoft entra endpoint. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
Thank you, no further steps are needed. Have a good rest of your week as well. bye, |
6 participants
fixes #8446