go-gitea · glmdev · May 6, 2022 · May 6, 2022 · May 6, 2022 · Jun 8, 2022
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -474,6 +474,10 @@ ENABLE = true
 ;;
 ;; Maximum length of oauth2 token/cookie stored on server
 ;MAX_TOKEN_LENGTH = 32767
+;;
+;; Allows client redirect_uris to specify wildcard patterns
+;; (e.g. https://site.url/page/*)
+;ENABLE_REDIRECT_URI_WILDCARD = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -994,6 +994,7 @@ Default templates for project boards:
 - `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this to a unique string. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `HS256`, `HS384` or `HS512`.
 - `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
 - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider
+- `ENABLE_REDIRECT_URI_WILDCARD`: **false**: Allows client redirect_uris to specify wildcard patterns
 
 ## i18n (`i18n`)
 

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
@@ -54,6 +55,9 @@ func (app *OAuth2Application) PrimaryRedirectURI() string {
 
 // ContainsRedirectURI checks if redirectURI is allowed for app
 func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
+	if setting.OAuth2.EnableRedirectURIWildcard {
+		return util.StringMatchesAnyPattern(redirectURI, app.RedirectURIs, true)
+	}
 	return util.IsStringInSlice(redirectURI, app.RedirectURIs, true)
 }
 

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -390,6 +390,7 @@ var (
 		JWTSecretBase64            string `ini:"JWT_SECRET"`
 		JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
 		MaxTokenLength             int
+		EnableRedirectURIWildcard  bool `ini:"ENABLE_REDIRECT_URI_WILDCARD"`
 	}{
 		Enable:                     true,
 		AccessTokenExpirationTime:  3600,
@@ -398,6 +399,7 @@ var (
 		JWTSigningAlgorithm:        "RS256",
 		JWTSigningPrivateKeyFile:   "jwt/private.pem",
 		MaxTokenLength:             math.MaxInt16,
+		EnableRedirectURIWildcard:  false,
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.18.0

diff --git a/modules/util/compare.go b/modules/util/compare.go
@@ -5,6 +5,7 @@
 package util
 
 import (
+	"regexp"
 	"sort"
 	"strings"
 )
@@ -60,6 +61,46 @@ func IsStringInSlice(target string, slice []string, insensitive ...bool) bool {
 	return false
 }
 
+// StringMatchesPattern checks whether the target string matches the wildcard pattern
+func StringMatchesPattern(target, pattern string) bool {
+	// Compile the wildcards in the pattern to a regular expression
+	var compiled strings.Builder
+	for i, segment := range strings.Split(pattern, "*") {
+		if i > 0 {
+			compiled.WriteString(".*")
+		}
+
+		compiled.WriteString(regexp.QuoteMeta(segment))
+	}
+
+	// Check whether the target matches the compiled pattern
+	result, _ := regexp.MatchString(compiled.String(), target)
+	return result
+}
+
+// StringMatchesAnyPattern sequential searches if target matches any patterns in the slice
+func StringMatchesAnyPattern(target string, patterns []string, insensitive ...bool) bool {
+	caseInsensitive := false
+	if len(insensitive) != 0 && insensitive[0] {
+		caseInsensitive = true
+		target = strings.ToLower(target)
+	}
+
+	for _, pattern := range patterns {
+		if caseInsensitive {
+			if StringMatchesPattern(target, strings.ToLower(pattern)) {
+				return true
+			}
+		} else {
+			if StringMatchesPattern(target, pattern) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // IsInt64InSlice sequential searches if int64 exists in slice.
 func IsInt64InSlice(target int64, slice []int64) bool {
 	for i := 0; i < len(slice); i++ {

diff --git a/modules/util/compare_test.go b/modules/util/compare_test.go
@@ -0,0 +1,28 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStringMatchesPattern(t *testing.T) {
+	// Make sure non-wildcard matching works
+	assert.True(t, StringMatchesPattern("fubar", "fubar"))
+
+	// Make sure wildcard matching accepts
+	assert.True(t, StringMatchesPattern("A is not B", "A*B"))
+	assert.True(t, StringMatchesPattern("A is not B", "A*"))
+
+	// Make sure wildcard matching rejects
+	assert.False(t, StringMatchesPattern("fubar", "A*B"))
+	assert.False(t, StringMatchesPattern("A is not b", "A*B"))
+
+	// Make sure regexp specials are escaped
+	assert.False(t, StringMatchesPattern("A is not B", "[aA]*"))
+	assert.True(t, StringMatchesPattern("[aA] is not B", "[aA]*"))
+}