Handles ValueErrors with invalid hex values in query strings (#954)

AUTHORS

@@ -11,6 +11,7 @@ Abhishek Patel
 Alan Crosswell
 Aleksander Vaskevich
 Alessandro De Angelis
+Alex Szabó
 Allisson Azevedo
 Anvesh Agarwal
 Aristóbulo Meneses

CHANGELOG.md

@@ -19,9 +19,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 * #712, #636, #808. Calls to `django.contrib.auth.authenticate()` now pass a `request`
   to provide compatibility with backends that need one.
-  
+
 ### Fixed
 * #524 Restrict usage of timezone aware expire dates to Django projects with USE_TZ set to True.
+* #954 Query strings with invalid hex values now raise a SuspiciousOperation exception
 
 ## [1.5.0] 2021-03-18
 

oauth2_provider/backends.py

@@ -1,4 +1,5 @@
 from django.contrib.auth import get_user_model
+from django.core.exceptions import SuspiciousOperation
 
 from .oauth2_backends import get_oauthlib_core
 
@@ -14,9 +15,14 @@ class OAuth2Backend:
 
     def authenticate(self, request=None, **credentials):
         if request is not None:
-            valid, r = OAuthLibCore.verify_request(request, scopes=[])
-            if valid:
-                return r.user
+            try:
+                valid, request = OAuthLibCore.verify_request(request, scopes=[])
+            except ValueError as error:
+                raise SuspiciousOperation(error)
+            else:
+                if valid:
+                    return request.user
+
         return None
 
     def get_user(self, user_id):

oauth2_provider/views/mixins.py

@@ -1,7 +1,7 @@
 import logging
 
 from django.conf import settings
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
 from django.http import HttpResponseForbidden, HttpResponseNotFound
 
 from ..exceptions import FatalClientError
@@ -150,7 +150,11 @@ def verify_request(self, request):
         :param request: The current django.http.HttpRequest object
         """
         core = self.get_oauthlib_core()
-        return core.verify_request(request, scopes=self.get_scopes())
+
+        try:
+            return core.verify_request(request, scopes=self.get_scopes())
+        except ValueError as error:
+            raise SuspiciousOperation(error)
 
     def get_scopes(self):
         """

tests/test_auth_backends.py

@@ -1,5 +1,7 @@
+import pytest
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import SuspiciousOperation
 from django.http import HttpResponse
 from django.test import RequestFactory, TestCase
 from django.test.utils import modify_settings, override_settings
@@ -9,7 +11,6 @@
 from oauth2_provider.middleware import OAuth2TokenMiddleware
 from oauth2_provider.models import get_access_token_model, get_application_model
 
-
 UserModel = get_user_model()
 ApplicationModel = get_application_model()
 AccessTokenModel = get_access_token_model()
@@ -51,6 +52,16 @@ def test_authenticate(self):
         u = backend.authenticate(**credentials)
         self.assertEqual(u, self.user)
 
+    def test_authenticate_raises_error_with_invalid_hex_in_query_params(self):
+        auth_headers = {
+            "HTTP_AUTHORIZATION": "Bearer " + "tokstr",
+        }
+        request = self.factory.get("/a-resource?auth_token=%%7A", **auth_headers)
+        credentials = {"request": request}
+
+        with pytest.raises(SuspiciousOperation):
+            OAuth2Backend().authenticate(**credentials)
+
     def test_authenticate_fail(self):
         auth_headers = {
             "HTTP_AUTHORIZATION": "Bearer " + "badstring",

tests/test_client_credential.py

@@ -3,6 +3,7 @@
 
 import pytest
 from django.contrib.auth import get_user_model
+from django.core.exceptions import SuspiciousOperation
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from django.views.generic import View
@@ -101,21 +102,22 @@ def test_client_credential_user_is_none_on_access_token(self):
         self.assertIsNone(access_token.user)
 
 
+class TestView(OAuthLibMixin, View):
+    server_class = BackendApplicationServer
+    validator_class = OAuth2Validator
+    oauthlib_backend_class = OAuthLibCore
+
+    def get_scopes(self):
+        return ["read", "write"]
+
+
 class TestExtendedRequest(BaseTest):
     @classmethod
     def setUpClass(cls):
         cls.request_factory = RequestFactory()
         super().setUpClass()
 
     def test_extended_request(self):
-        class TestView(OAuthLibMixin, View):
-            server_class = BackendApplicationServer
-            validator_class = OAuth2Validator
-            oauthlib_backend_class = OAuthLibCore
-
-            def get_scopes(self):
-                return ["read", "write"]
-
         token_request_data = {
             "grant_type": "client_credentials",
         }
@@ -143,6 +145,12 @@ def get_scopes(self):
         self.assertEqual(r.client, self.application)
         self.assertEqual(r.scopes, ["read", "write"])
 
+    def test_raises_error_with_invalid_hex_in_query_params(self):
+        request = self.request_factory.get("/fake-req?auth_token=%%7A")
+
+        with pytest.raises(SuspiciousOperation):
+            TestView().verify_request(request)
+
 
 class TestClientResourcePasswordBased(BaseTest):
     def test_client_resource_password_based(self):