Skip to content

Commit ca196a0

Browse files
panvapanva
committed
fix: forbid redirect_uri with an empty fragment component
1 parent 217746c commit ca196a0

File tree

2 files changed

+9
-10
lines changed

2 files changed

+9
-10
lines changed

lib/helpers/client_schema.js

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
const { URL } = require('url');
1+
const url = require('url');
22

33
const clone = require('lodash/clone');
44
const without = require('lodash/without');
@@ -474,7 +474,7 @@ module.exports = function getSchema(provider) {
474474
if (this.application_type === 'web') return;
475475

476476
this.redirect_uris = this.redirect_uris.map((redirectUri) => {
477-
const parsed = new URL(redirectUri);
477+
const parsed = new url.URL(redirectUri);
478478
// remove the port component, making dynamic ports allowed for loopback uris
479479
if (parsed.protocol === 'http:' && LOOPBACKS.includes(parsed.hostname)) {
480480
parsed.port = 80; // http + 80 = no port part in the string
@@ -488,7 +488,7 @@ module.exports = function getSchema(provider) {
488488
postLogoutRedirectUris() {
489489
this.post_logout_redirect_uris.forEach((uri) => {
490490
try {
491-
new URL(uri); // eslint-disable-line no-new
491+
new url.URL(uri); // eslint-disable-line no-new
492492
} catch (err) {
493493
invalidate('post_logout_redirect_uris must only contain uris');
494494
}
@@ -502,7 +502,7 @@ module.exports = function getSchema(provider) {
502502
let protocol;
503503

504504
try {
505-
({ origin, protocol } = new URL(uri));
505+
({ origin, protocol } = new url.URL(uri));
506506
} catch (err) {
507507
invalidate('web_message_uris must only contain valid uris');
508508
}
@@ -517,16 +517,14 @@ module.exports = function getSchema(provider) {
517517

518518
redirectUris() {
519519
this.redirect_uris.forEach((redirectUri) => {
520-
let hostname;
521-
let protocol;
522-
let hash;
523-
524520
try {
525-
({ hash, hostname, protocol } = new URL(redirectUri));
521+
new url.URL(redirectUri); // eslint-disable-line no-new
526522
} catch (err) {
527523
invalidate('redirect_uris must only contain valid uris');
528524
}
529525

526+
const { hash, hostname, protocol } = url.parse(redirectUri);
527+
530528
if (hash) {
531529
invalidate('redirect_uris must not contain fragments');
532530
}

test/configuration/client_metadata.test.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -315,7 +315,8 @@ describe('Client metadata validation', () => {
315315
allows(this.title, ['https://some'], {
316316
application_type: 'web',
317317
});
318-
rejects(this.title, ['https://some#whatever'], undefined, {
318+
rejects(this.title, ['https://rp.example.com#'], /redirect_uris must not contain fragments$/);
319+
rejects(this.title, ['https://rp.example.com#whatever'], /redirect_uris must not contain fragments$/, {
319320
application_type: 'web',
320321
});
321322
rejects(this.title, ['no-dot-reverse-notation:/some'], undefined, {

0 commit comments

Comments
 (0)