fix: html safe guard the action attribute in form post responses

This is not exploitable when running out of the box provider since all URIs need to come from a client `redirect_uris` allow list. This change sanitizes the action field for developers who decide to overload `Client.prototype.redirectUriAllowed` and fail to do so properly.
panva · Jan 4, 2021 · 7cd6025 · 7cd6025
1 parent d282b86
commit 7cd6025
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/lib/response_modes/form_post.js b/lib/response_modes/form_post.js
@@ -21,7 +21,7 @@ module.exports = function formPost(ctx, action, inputs) {
   </script>
 </head>
 <body>
-  <form method="post" action="${action}">
+  <form method="post" action="${htmlSafe(action)}">
     ${formInputs}
     <noscript>
       Your browser does not support JavaScript or you've disabled it.<br/>

diff --git a/test/form_post/form_post.config.js b/test/form_post/form_post.config.js
@@ -7,6 +7,6 @@ module.exports = {
     client_secret: 'secret',
     grant_types: ['authorization_code', 'implicit'],
     response_types: ['code', 'code id_token token'],
-    redirect_uris: ['https://client.example.com/cb'],
+    redirect_uris: ['https://client.example.com/cb', 'https://client.example.com/cb"><script>alert(0)</script><x="'],
   },
 };
diff --git a/test/form_post/form_post.test.js b/test/form_post/form_post.test.js
@@ -2,6 +2,7 @@ const { expect } = require('chai');
 const sinon = require('sinon');
 
 const bootstrap = require('../test_helper');
+const safe = require('../../lib/helpers/html_safe');
 
 const route = '/auth';
 
@@ -27,6 +28,21 @@ describe('/auth', () => {
             .expect(new RegExp(`input type="hidden" name="state" value="${auth.state}"`))
             .expect(new RegExp(`form method="post" action="${auth.redirect_uri}"`));
         });
+
+        it('sanitizes the action attribute', function () {
+          const auth = new this.AuthorizationRequest({
+            response_type: 'code id_token token',
+            response_mode: 'form_post',
+            scope: 'openid',
+            redirect_uri: 'https://client.example.com/cb"><script>alert(0)</script><x="',
+          });
+
+          return this.wrap({ route, verb, auth })
+            .expect(200)
+            .expect(({ text: body }) => {
+              expect(body).to.contain(safe(auth.redirect_uri));
+            });
+        });
       });
 
       context('error handling', () => {