CVE-2024-2791X
This challenge covers the review of a CVE in a Golang codebase and its patch
The Code Review Patch challenges are designed to help you identify security vulnerabilities in code by reviewing the provided code and its patch. Initially, you should attempt to spot the issue without looking at the patch. If you struggle to find the vulnerability or want to confirm your findings, you can then review the patch (the diff file).
In this lab, you will examine the userauth.go file, specifically focusing on how the system handles email domain validation for OpenID Connect (OIDC) users. The provided patch addresses a vulnerability where incorrect email domain validation could allow unauthorized access. By splitting the email at the "@" symbol and comparing the domain more accurately, the patch enhances security by ensuring only users with valid email domains are authenticated.