Skip to content
This repository has been archived by the owner on Dec 14, 2017. It is now read-only.

Feature/fix exceptions on invalid parameters #81

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Feature/fix exceptions on invalid parameters #81

wants to merge 3 commits into from

Conversation

pi3k14
Copy link

@pi3k14 pi3k14 commented Sep 22, 2016

Cleaned up some fault handling which previously resulted in thrown exceptions

@leastprivilege
Copy link
Member

Did you check the ws-fed spec what the exact status codes should be?

@pi3k14
Copy link
Author

pi3k14 commented Sep 27, 2016

Haven't changed/added any status codes (or validated their validity), just ensured that they didn't get swallowed in an Internal Server error.

@leastprivilege
Copy link
Member

@scottbrady91 could you have a look please?

scottbrady91
scottbrady91 reviewed Sep 27, 2016
View reviewed changes
source/WsFederationPlugin/WsFederationController.cs
}
}
catch (Exception e)
{
return BadRequest("Invalid WS-Federation request: " + e.Message);
Copy link
Member

@scottbrady91 scottbrady91 Sep 27, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're leaking exception details here. Any exception thrown in this try/catch block will have its message displayed to the end user.

The exceptions in IdentityServer are intentionally vague to not leak internal info.

Copy link
Author

@pi3k14 pi3k14 Sep 29, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it leaks exceptions from WSFederationMessage.TryCreateFromUri and WSFederationMessage.CreateFromNameValueCollection, an alternative would be to just logg these and return "Invalid WS-Federation request".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not what it does already?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current version "crash" when eg. CreateFromNameValueCollection throws an exception. The TryCreateFromUri method does not contain a try/catch block (the name is a bit misleading).

@scottbrady91
Copy link
Member

If the try catch block is the only change, I'm happy for this to be merged once the exception message is removed from the BadRequest

@ghost ghost deleted a comment from dnfclas Dec 7, 2017
@ghost ghost removed the cla-not-required label Dec 7, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@scottbrady91 scottbrady91 scottbrady91 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pi3k14 @leastprivilege @scottbrady91 @dnfclas