olemd/forgejo-mcp-broker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sec(oauth): phase-2 attack-path review (forgejo-mcp-broker-wgo)

Browse source 
Structured review of every OAuth/auth handler against the standard
attack catalog. Findings table added to design.md §8.2.

Two real issues found and fixed:

  - Refresh-token replay race: tokenRefreshGrant read the row, validated
    it, then minted a new pair before unconditionally revoking the old
    refresh. Two concurrent /token requests with the same refresh would
    both pass validation and both mint a fresh pair — token-quota
    duplication and a hint to a stolen-refresh attacker. Fixed with the
    same atomic UPDATE rows-affected pattern already used for auth-code
    single-use. New TestToken_Refresh_ConcurrentReplay_OnlyOneSucceeds
    races two goroutines and verifies exactly one wins.

  - Permissive redirect_uri schemes: validateRedirectURI accepted any
    non-empty scheme, including javascript: and data:. Tightened to
    require https, http for loopback only, or a reverse-DNS private-use
    scheme per RFC 8252 §7.1. TestValidateRedirectURI updated to cover
    each variant including the rejected javascript:/data: cases.

Items deferred to backlog (already filed):
  - Rate limits on /oauth/register and /oauth/token (-ttl)
  - --token-fd to close the /proc/<pid>/environ window (-1n2)
  - AES-GCM at-rest encryption of Forgejo tokens (-sd4)

Closes forgejo-mcp-broker-wgo. Phase 2 complete.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ole-Morten Duesund 2026-04-27 17:37:00 +02:00
commit 8369ec2cc7
5 changed files with 140 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

10
internal/oauth/oauth_internal_test.go
View file

@ -88,8 +88,14 @@ func TestValidateRedirectURI(t *testing.T) {
ok bool
}{
{"https", "https://app.example.com/cb", true},
{"http_loopback", "http://localhost:1234/cb", true},
{"custom_scheme", "claude://oauth/cb", true},
{"http_loopback_localhost", "http://localhost:1234/cb", true},
{"http_loopback_v4", "http://127.0.0.1/cb", true},
{"http_loopback_v6", "http://[::1]/cb", true},
{"http_non_loopback", "http://app.example.com/cb", false},
{"reverse_dns_scheme", "com.example.claudeapp:/cb", true},
{"single_word_scheme", "claude://oauth/cb", false},
{"javascript_scheme", "javascript:alert(1)", false},
{"data_scheme", "data:text/html,<h1>hi</h1>", false},
{"missing_scheme", "app.example.com/cb", false},
{"unparseable", "://no-scheme", false},
}