server: changes from external security review #89
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Benson Wong <benson@tailscale.com>
In serveAuthorize there was a chance an authorization code is saved but never used if a url.Parse() fails. This commit moves the parsing logic above the saving logic. Signed-off-by: Benson Wong <benson@tailscale.com>
Signed-off-by: Benson Wong <benson@tailscale.com>
Signed-off-by: Benson Wong <benson@tailscale.com>
The UI form endpoints and the /client/ endpoints accept POST requests for modifying OAuth client data. This commit adds checking of the Sec-Fetch-Site and Origin request headers. Signed-off-by: Benson Wong <benson@tailscale.com>
add isDangerousScheme() to disallow various schemes that may be dangerous in an OAuth redirect_uri Signed-off-by: Benson Wong <benson@tailscale.com>
Signed-off-by: Benson Wong <benson@tailscale.com>
Eliminiate a low risk scenario where a refresh token could be used to issue multiple access tokens in a race condition. The trade-off is that a users would need to re-authenticate when a token refresh fails. Signed-off-by: Benson Wong <benson@tailscale.com>
Signed-off-by: Benson Wong <benson@tailscale.com>
mostlygeek
force-pushed
the
mostlygeek/sec-review
branch
from
8a8ea35 to
28c2f76
Compare
Signed-off-by: Benson Wong <benson@tailscale.com>
mostlygeek
force-pushed
the
mostlygeek/sec-review
branch
from
28c2f76 to
7c49993
Compare
mostlygeek
commented
Oct 22, 2025
mostlygeek
commented
Oct 22, 2025
mostlygeek
commented
Oct 22, 2025
mostlygeek
commented
Oct 22, 2025
| } | ||
| } | ||
|
|
||
| func TestDynamicClientRegistrationCORSHeaders(t *testing.T) { |
Contributor
Author
There was a problem hiding this comment.
Add CORS pre-flight tests to enforce the contract we have for now. We can tighten them up in the future. DCR doesn't really work without more permissive settings, particularly with the mcp-inspector.
mostlygeek
commented
Oct 22, 2025
| } | ||
| } | ||
|
|
||
| func TestClientApiCSRF(t *testing.T) { |
Contributor
Author
There was a problem hiding this comment.
Add tests to ensure the /clients/ api handles CSRF mitigation as expected.
mostlygeek
commented
Oct 22, 2025
|
|
||
| // isFunnelRequest checks if the request is coming through Tailscale Funnel | ||
| // Migrated from legacy/tsidp.go:2392-2410 | ||
| func isFunnelRequest(r *http.Request) bool { |
Contributor
Author
There was a problem hiding this comment.
function moved to server.go
mostlygeek
commented
Oct 22, 2025
| } | ||
| } | ||
| } | ||
| func TestMetadataCORSHeaders(t *testing.T) { |
Contributor
Author
There was a problem hiding this comment.
Add test to ensure metadata endpoints have the appropriate CORS preflight behaviour.
mostlygeek
commented
Oct 22, 2025
| } | ||
|
|
||
| // isFunnelRequest checks if the request is coming through Tailscale Funnel | ||
| func isFunnelRequest(r *http.Request) bool { |
Contributor
Author
There was a problem hiding this comment.
moved here from oauth-metadata.go. No changes to the code.
mostlygeek
commented
Oct 22, 2025
|
|
||
| RUN addgroup -g 1001 -S app && \ | ||
| adduser -u 1001 -S app | ||
|
|
Contributor
Author
There was a problem hiding this comment.
run binary as a less privileged user than root
Signed-off-by: Benson Wong <benson@tailscale.com>
Signed-off-by: Benson Wong <benson@tailscale.com>
mostlygeek
force-pushed
the
mostlygeek/sec-review
branch
from
9382158 to
f2206b2
Compare
awly
reviewed
Oct 24, 2025
Member
awly
left a comment
awly
left a comment
There was a problem hiding this comment.
Some other stuff that would be good to patch, here or in a separate PR:
- LT-APP25-11: I don't think all endpoints do request method filtering (like
handleUI); perhaps usinghttp.ServeMuxcapabilities is the simplest thing here? https://pkg.go.dev/net/http#hdr-Patterns-ServeMux - LT-APP25-16: other misc security headers like HSTS and CSP
awly
reviewed
Oct 24, 2025
mostlygeek
force-pushed
the
mostlygeek/sec-review
branch
from
cab732d to
a92591c
Compare
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Benson Wong <benson@tailscale.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Benson Wong <benson@tailscale.com>
- add "s" to misspelled CORS header Access-Control-Allow-Method - use filippo.io/csrf for CSRF protection Signed-off-by: Benson Wong <benson@tailscale.com>
mostlygeek
force-pushed
the
mostlygeek/sec-review
branch
from
a92591c to
986bd68
Compare
Signed-off-by: Benson Wong <benson@tailscale.com>
Contributor
Author
|
@awly thanks for the suggestions. Ready for another review. |
awly
approved these changes
Oct 28, 2025
server/server.go
Outdated
Comment on lines
246
to
247
| protect := csrf.New() | ||
| protect.AddTrustedOrigin(s.serverURL) |
Member
There was a problem hiding this comment.
nit: move this to the bottom, right before the return where it's actually needed
Signed-off-by: Benson Wong <benson@tailscale.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR incorporates the changes and recommendations from the external security review. Where applicable commits will reference the ID in the security report.