benjojo.co.uk

benjojo posted 17 Sep 2024 19:58 +0000

‘No Way To Prevent This,’ Says Only Software Where This Regularly Happens

benjojo replied 17 Sep 2024 20:03 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/Z199DBtKHy5xDld41c

GitLab has proven to me that it will take some incredible amount of money for me to implement SAML SSO, as SAML and it's friends seem like inverted mine fields where the mud is mine and the tiny spots are walkable

puckipedia@puckipedi.. replied 17 Sep 2024 20:04 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/KPnM8Zj8XTWD911dR2

(https://benjojo.co.uk/u/benjojo)

@benjojo it's actually a bug in omniauth, which means it also affects mastodon/etc, cursedly

..the amusing thing is it's entirely bugged on the XML signature level, rather than anything SAML-specific

benjojo replied 17 Sep 2024 20:06 +0000
in reply to: https://puckipedia.com/euni-5mzk/4hzj

@puckipedia Sure, but gitlab seems like a magnet to these auth bypasses that then end up with your gitlab built in k8s/jenkins/CI/whatever compromised too

tedu@honk.tedunangst.. replied 20 Sep 2024 23:48 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/KPnM8Zj8XTWD911dR2

@benjojo some related reading: https://www.latacora.com/blog/2019/07/24/how-not-to/

Canonicalization is a quagnet, which is a term of art in vulnerability research meaning quagmire and vulnerability magnet.

benjojo replied 20 Sep 2024 23:54 +0000
in reply to: https://honk.tedunangst.com/u/tedu/h/6w3q9WLMsZ8yhJFRFP

@tedu Yeah the whole eco system around that is just a vulnerability magnet, I did some stuff with the UK university SSO called shibbloeth ages ago and I suspect it's only survived thus far because no one has seeming looked into it too deeply