Skip to content

Commit

Permalink
fix: forbid redirect_uri with an empty fragment component
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Oct 8, 2019
1 parent 217746c commit ca196a0
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 10 deletions.
16 changes: 7 additions & 9 deletions lib/helpers/client_schema.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
const { URL } = require('url');
const url = require('url');

const clone = require('lodash/clone');
const without = require('lodash/without');
Expand Down Expand Up @@ -474,7 +474,7 @@ module.exports = function getSchema(provider) {
if (this.application_type === 'web') return;

this.redirect_uris = this.redirect_uris.map((redirectUri) => {
const parsed = new URL(redirectUri);
const parsed = new url.URL(redirectUri);
// remove the port component, making dynamic ports allowed for loopback uris
if (parsed.protocol === 'http:' && LOOPBACKS.includes(parsed.hostname)) {
parsed.port = 80; // http + 80 = no port part in the string
Expand All @@ -488,7 +488,7 @@ module.exports = function getSchema(provider) {
postLogoutRedirectUris() {
this.post_logout_redirect_uris.forEach((uri) => {
try {
new URL(uri); // eslint-disable-line no-new
new url.URL(uri); // eslint-disable-line no-new
} catch (err) {
invalidate('post_logout_redirect_uris must only contain uris');
}
Expand All @@ -502,7 +502,7 @@ module.exports = function getSchema(provider) {
let protocol;

try {
({ origin, protocol } = new URL(uri));
({ origin, protocol } = new url.URL(uri));
} catch (err) {
invalidate('web_message_uris must only contain valid uris');
}
Expand All @@ -517,16 +517,14 @@ module.exports = function getSchema(provider) {

redirectUris() {
this.redirect_uris.forEach((redirectUri) => {
let hostname;
let protocol;
let hash;

try {
({ hash, hostname, protocol } = new URL(redirectUri));
new url.URL(redirectUri); // eslint-disable-line no-new
} catch (err) {
invalidate('redirect_uris must only contain valid uris');
}

const { hash, hostname, protocol } = url.parse(redirectUri);

if (hash) {
invalidate('redirect_uris must not contain fragments');
}
Expand Down
3 changes: 2 additions & 1 deletion test/configuration/client_metadata.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,8 @@ describe('Client metadata validation', () => {
allows(this.title, ['https://some'], {
application_type: 'web',
});
rejects(this.title, ['https://some#whatever'], undefined, {
rejects(this.title, ['https://rp.example.com#'], /redirect_uris must not contain fragments$/);
rejects(this.title, ['https://rp.example.com#whatever'], /redirect_uris must not contain fragments$/, {
application_type: 'web',
});
rejects(this.title, ['no-dot-reverse-notation:/some'], undefined, {
Expand Down

0 comments on commit ca196a0

Please sign in to comment.