@@ -88,6 +88,7 @@ of this software and associated documentation files (the "Software"), to deal
8888import java .io .IOException ;
8989import java .net .InetSocketAddress ;
9090import java .net .Proxy ;
91+ import java .security .SecureRandom ;
9192import java .util .Arrays ;
9293import java .util .HashSet ;
9394import java .util .Set ;
@@ -337,6 +338,9 @@ public String getOauthScopes() {
337338
338339 public HttpResponse doCommenceLogin (StaplerRequest request , @ QueryParameter String from , @ Header ("Referer" ) final String referer )
339340 throws IOException {
341+ // https://tools.ietf.org/html/rfc6749#section-10.10 dictates that probability that an attacker guesses the string
342+ // SHOULD be less than or equal to 2^(-160) and our Strings consist of 65 chars. (65^27 ~= 2^160)
343+ final String state = getSecureRandomString (27 );
340344 String redirectOnFinish ;
341345 if (from != null && Util .isSafeToRedirectTo (from )) {
342346 redirectOnFinish = from ;
@@ -347,18 +351,19 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter Stri
347351 }
348352
349353 request .getSession ().setAttribute (REFERER_ATTRIBUTE , redirectOnFinish );
354+ request .getSession ().setAttribute (STATE_ATTRIBUTE , state );
350355
351356 Set <String > scopes = new HashSet <>();
352357 for (GitHubOAuthScope s : getJenkins ().getExtensionList (GitHubOAuthScope .class )) {
353358 scopes .addAll (s .getScopesToRequest ());
354359 }
355360 String suffix ="" ;
356361 if (!scopes .isEmpty ()) {
357- suffix = "&scope=" +Util .join (scopes ,"," );
362+ suffix = "&scope=" +Util .join (scopes ,"," )+ "&state=" + state ;
358363 } else {
359364 // We need repo scope in order to access private repos
360365 // See https://developer.github.com/v3/oauth/#scopes
361- suffix = "&scope=" + oauthScopes ;
366+ suffix = "&scope=" + oauthScopes + "&state=" + state ;
362367 }
363368
364369 return new HttpRedirect (githubWebUri + "/login/oauth/authorize?client_id="
@@ -372,13 +377,27 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter Stri
372377 public HttpResponse doFinishLogin (StaplerRequest request )
373378 throws IOException {
374379 String code = request .getParameter ("code" );
380+ String state = request .getParameter (STATE_ATTRIBUTE );
375381 String referer = (String )request .getSession ().getAttribute (REFERER_ATTRIBUTE );
382+ String expectedState = (String )request .getSession ().getAttribute (STATE_ATTRIBUTE );
376383
377384 if (code == null || code .trim ().length () == 0 ) {
378385 Log .info ("doFinishLogin: missing code." );
379386 return HttpResponses .redirectToContextRoot ();
380387 }
381388
389+ if (state == null ){
390+ Log .info ("doFinishLogin: missing state parameter from Github response." );
391+ return HttpResponses .redirectToContextRoot ();
392+ } else if (expectedState == null ){
393+ Log .info ("doFinishLogin: missing state parameter from user's session." );
394+ return HttpResponses .redirectToContextRoot ();
395+ } else if (!state .equals (expectedState )){
396+ Log .info ("state parameter value [" +state +"] does not match the expected one [" +expectedState +"]" );
397+ return HttpResponses .redirectToContextRoot ();
398+ }
399+
400+
382401 String accessToken = getAccessToken (code );
383402
384403 if (accessToken != null && accessToken .trim ().length () > 0 ) {
@@ -460,6 +479,21 @@ private String getAccessToken(@Nonnull String code) throws IOException {
460479 return null ;
461480 }
462481
482+ /**
483+ * Generates a random URL Safe String of n characters
484+ */
485+ private String getSecureRandomString (int n ) {
486+ if (n < 0 ){
487+ throw new IllegalArgumentException ("Length must be a positive integer" );
488+ }
489+ // See RFC3986
490+ final String urlSafeChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_" ;
491+ final StringBuilder sb = new StringBuilder ();
492+ for (int i = 0 ; i < n ; i ++){
493+ sb .append (urlSafeChars .charAt (SECURE_RANDOM .nextInt (urlSafeChars .length ())));
494+ }
495+ return sb .toString ();
496+ }
463497 /**
464498 * Returns the proxy to be used when connecting to the given URI.
465499 */
@@ -659,7 +693,7 @@ public UserDetails loadUserByUsername(String username)
659693
660694 Authentication token = SecurityContextHolder .getContext ().getAuthentication ();
661695
662- if (token == null ) {
696+ if (token == null || ! username . equals ( token . getPrincipal ()) ) {
663697 if (localUser != null && GithubSecretStorage .contains (localUser )){
664698 String accessToken = GithubSecretStorage .retrieve (localUser );
665699 try {
@@ -789,6 +823,9 @@ static Jenkins getJenkins() {
789823 private static final Logger LOGGER = Logger .getLogger (GithubSecurityRealm .class .getName ());
790824
791825 private static final String REFERER_ATTRIBUTE = GithubSecurityRealm .class .getName ()+".referer" ;
826+ private static final String STATE_ATTRIBUTE = "state" ;
827+
828+ private static final SecureRandom SECURE_RANDOM = new SecureRandom ();
792829
793830 /**
794831 * Asks for the password.
0 commit comments