fix: filter unallowed params in callback

thomasvargiu · thomasvargiu · commit 4884167ff958 · 2022-09-27T12:31:10.000+02:00
diff --git a/src/Service/AuthorizationService.php b/src/Service/AuthorizationService.php
@@ -134,7 +134,11 @@ public function callback(
         ?AuthSessionInterface $authSession = null,
         ?int $maxAge = null
     ): TokenSetInterface {
-        $tokenSet = $this->tokenSetFactory->fromArray($params);
+        $allowedParams = ['code', 'state', 'token_type', 'access_token', 'id_token', 'refresh_token', 'expires_in', 'code_verifier'];
+        $tokenSet = $this->tokenSetFactory->fromArray(array_intersect_key(
+            $params,
+            array_fill_keys($allowedParams, true)
+        ));
 
         $idToken = $tokenSet->getIdToken();
 
diff --git a/tests/Service/AuthorizationServiceTest.php b/tests/Service/AuthorizationServiceTest.php
@@ -6,12 +6,15 @@
 
 use Facile\OpenIDClient\AuthMethod\AuthMethodFactoryInterface;
 use Facile\OpenIDClient\AuthMethod\AuthMethodInterface;
+use Facile\OpenIDClient\Client\Client;
 use Facile\OpenIDClient\Client\ClientInterface as OpenIDClient;
+use Facile\OpenIDClient\Client\Metadata\ClientMetadata;
 use Facile\OpenIDClient\Client\Metadata\ClientMetadataInterface;
 use Facile\OpenIDClient\Issuer\IssuerInterface;
 use Facile\OpenIDClient\Issuer\Metadata\IssuerMetadataInterface;
 use Facile\OpenIDClient\Service\AuthorizationService;
 use Facile\OpenIDClient\Token\IdTokenVerifierBuilderInterface;
+use Facile\OpenIDClient\Token\TokenSetFactory;
 use Facile\OpenIDClient\Token\TokenSetFactoryInterface;
 use Facile\OpenIDClient\Token\TokenSetInterface;
 use Facile\OpenIDClient\Token\TokenVerifierBuilderInterface;
@@ -123,4 +126,46 @@ public function testFetchTokenFromCode(): void
 
         static::assertSame($tokenSet->reveal(), $service->grant($openIdClient->reveal(), $claims));
     }
+
+    public function testCallbackShouldNotProcessUnknownParams(): void
+    {
+        $tokenSetFactory = $this->prophesize(TokenSetFactoryInterface::class);
+        $client = $this->prophesize(ClientInterface::class);
+        $requestFactory = $this->prophesize(RequestFactoryInterface::class);
+        $idTokenVerifierBuilder = $this->prophesize(IdTokenVerifierBuilderInterface::class);
+        $tokenVerifierBuilder = $this->prophesize(TokenVerifierBuilderInterface::class);
+
+        $service = new AuthorizationService(
+            $tokenSetFactory->reveal(),
+            $client->reveal(),
+            $requestFactory->reveal(),
+            $idTokenVerifierBuilder->reveal(),
+            $tokenVerifierBuilder->reveal()
+        );
+
+        $issuer = $this->prophesize(IssuerInterface::class);
+        $clientMetadata = ClientMetadata::fromArray([
+            'client_id' => 'foobar',
+            'client_secret' => 'secret',
+            'redirect_uris' => [
+                'http://localhost/callback',
+            ],
+        ]);
+        $client = new Client(
+            $issuer->reveal(),
+            $clientMetadata
+        );
+
+        // Build poc request
+        $body = 'claims[iss]=foobar&claims[sub]=adminuser1'; // forge arbitrary claims
+        $headers = ['test' => 'test'];
+        $serverRequest = new \GuzzleHttp\Psr7\ServerRequest('POST', 'http://127.0.0.1:8082', $headers, $body);
+
+        $callbackParams = $service->getCallbackParams($serverRequest, $client);
+        $tokenSet = $service->callback($client, $callbackParams); // tokenSet contains forged claims
+
+        $claims = $tokenSet->claims();
+
+        $this->assertSame([], $claims);
+    }
 }
