[KEYCLOAK-7087] Calling admin routes without data crashes NodeJS app

keycloak · Aug 27, 2018 · 55e54b5 · 55e54b5
1 parent 7f707d5
commit 55e54b5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/middleware/admin.js b/middleware/admin.js
@@ -35,8 +35,14 @@ function adminLogout (request, response, keycloak) {
   });
 
   request.on('end', function () {
+    let payload;
     let parts = data.split('.');
-    let payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+    try {
+      payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+    } catch (e) {
+      response.status(400).end();
+      return;
+    }
     if (payload.action === 'LOGOUT') {
       let sessionIDs = payload.adapterSessionIds;
       if (!sessionIDs) {

diff --git a/test/keycloak-connect-rest-spec.js b/test/keycloak-connect-rest-spec.js
@@ -55,6 +55,14 @@ test('Should test protected route.', t => {
   return t.shouldFail(roi.get(opt), 'Access denied', 'Response should be access denied for no credentials');
 });
 
+test('Should test for bad request on k_logout without any parameters.', t => {
+  t.plan(1);
+  const opt = {
+    'endpoint': app.address + '/k_logout'
+  };
+  return t.shouldFail(roi.get(opt), 'Response should be bad request');
+});
+
 test('Should test protected route with admin credentials.', t => {
   t.plan(1);
   return getToken().then((token) => {