Make error response not redirectable when client is unauthorized #1435
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
houndci-bot
reviewed
Aug 2, 2020
linhdangduy
changed the title
linhdangduy
force-pushed
the
not_redirectable_when_client_is_unauthorized
branch
from
4b2c686 to
dfe291b
Compare
houndci-bot
reviewed
Aug 2, 2020
linhdangduy
force-pushed
the
not_redirectable_when_client_is_unauthorized
branch
from
dfe291b to
5df890e
Compare
nbulaj
reviewed
Aug 3, 2020
| :unauthorized | ||
| else | ||
| :bad_request | ||
| end | ||
| end | ||
|
|
||
| def redirectable? | ||
| name != :invalid_redirect_uri && name != :invalid_client && | ||
| name != :invalid_redirect_uri && |
There was a problem hiding this comment.
Let's introduce a const named NON_REDIRECTABLE_STATES or smth like this with states from above and then just:
NON_REDIRECTABLE_STATES.include?(name)
linhdangduy
force-pushed
the
not_redirectable_when_client_is_unauthorized
branch
from
5df890e to
72914eb
Compare
houndci-bot
reviewed
Aug 4, 2020
linhdangduy
force-pushed
the
not_redirectable_when_client_is_unauthorized
branch
from
72914eb to
bf9d348
Compare
linhdangduy
commented
Aug 4, 2020
Comment on lines
-43
to
+45
| name != :invalid_redirect_uri && name != :invalid_client && | ||
| !URIChecker.oob_uri?(@redirect_uri) | ||
| !NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri) |
There was a problem hiding this comment.
@nbulaj I added these error names to NON_REDIRECTABLE_STATES
nbulaj
approved these changes
Aug 4, 2020
|
Thanks @linhdangduy ! |
This was referenced Mar 17, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
As rfc6749 has mentioned, when client is invalid, it MUST_NOT redirect the user-agent: https://tools.ietf.org/html/rfc6749#section-4.1.2.1
return status code as 401 when error is unauthorized_client lib/doorkeeper/oauth/error_response.rb
add
name != :unauthorized_client &&toredirectable?method of error_response lib/doorkeeper/oauth/error_response.rbadd unit test on
redirectable?for error_response_spec and invalid_request_response_spec spec/lib/oauth/error_response_spec.rb, spec/lib/oauth/invalid_request_response_spec.rbadd test
must call the validations on client and redirect_uri before other validations because they are not redirectableto pre_authorization_spec. spec/lib/oauth/pre_authorization_spec.rbmissing parameter response_typeandinvalid_redirect_uri, if themissing parameter response_typevalidation is run beforeinvalid_redirect_urivalidation, authorization server will return error by redirect the user-agent to the invalid redirect_uri, which is not followed quote from rfc6749 above (which lead to vulnerability on redirection)Other Information
validate_resource_owner_authorize_for_clientin pre_authorization as order of validate declaration. lib/doorkeeper/oauth/pre_authorization.rb