Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

correctly handle path escaping for connector IDs #2290

Merged
merged 3 commits into from
May 31, 2022
Merged

correctly handle path escaping for connector IDs #2290

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8fd69c1
correctly handle path escaping for connector IDs
bobcallaway Oct 1, 2021
2e0041f
ensure template does not double-escape URL
bobcallaway Oct 6, 2021
6eeba94
Merge remote-tracking branch 'upstream/master' into issue2289
bobcallaway May 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 24 additions & 7 deletions server/handlers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"html/template"
"net/http"
"net/url"
"path"
Expand Down Expand Up @@ -153,7 +154,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
if connectorID != "" {
for _, c := range connectors {
if c.ID == connectorID {
connURL.Path = s.absPath("/auth", c.ID)
connURL.Path = s.absPath("/auth", url.PathEscape(c.ID))
http.Redirect(w, r, connURL.String(), http.StatusFound)
return
}
Expand All @@ -163,18 +164,18 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
}

if len(connectors) == 1 && !s.alwaysShowLogin {
connURL.Path = s.absPath("/auth", connectors[0].ID)
connURL.Path = s.absPath("/auth", url.PathEscape(connectors[0].ID))
http.Redirect(w, r, connURL.String(), http.StatusFound)
}

connectorInfos := make([]connectorInfo, len(connectors))
for index, conn := range connectors {
connURL.Path = s.absPath("/auth", conn.ID)
connURL.Path = s.absPath("/auth", url.PathEscape(conn.ID))
connectorInfos[index] = connectorInfo{
ID: conn.ID,
Name: conn.Name,
Type: conn.Type,
URL: connURL.String(),
URL: template.URL(connURL.String()),
}
}

Expand All @@ -200,7 +201,13 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
return
}

connID := mux.Vars(r)["connector"]
connID, err := url.PathUnescape(mux.Vars(r)["connector"])
if err != nil {
s.logger.Errorf("Failed to parse connector: %v", err)
s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist")
return
}

conn, err := s.getConnector(connID)
if err != nil {
s.logger.Errorf("Failed to get connector: %v", err)
Expand Down Expand Up @@ -316,7 +323,12 @@ func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
return
}

if connID := mux.Vars(r)["connector"]; connID != "" && connID != authReq.ConnectorID {
connID, err := url.PathUnescape(mux.Vars(r)["connector"])
if err != nil {
s.logger.Errorf("Failed to parse connector: %v", err)
s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist")
return
} else if connID != "" && connID != authReq.ConnectorID {
s.logger.Errorf("Connector mismatch: authentication started with id %q, but password login for id %q was triggered", authReq.ConnectorID, connID)
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
return
Expand Down Expand Up @@ -401,7 +413,12 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
return
}

if connID := mux.Vars(r)["connector"]; connID != "" && connID != authReq.ConnectorID {
connID, err := url.PathUnescape(mux.Vars(r)["connector"])
if err != nil {
s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
return
} else if connID != "" && connID != authReq.ConnectorID {
s.logger.Errorf("Connector mismatch: authentication started with id %q, but callback for id %q was triggered", authReq.ConnectorID, connID)
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
return
Expand Down
9 changes: 9 additions & 0 deletions server/handlers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,15 @@ func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {

err = s.CreateConnector(c1)
require.NoError(t, err)

c2 := storage.Connector{
ID: "http://any.valid.url/",
Type: "mock",
Name: "mockURLID",
}

err = s.CreateConnector(c2)
require.NoError(t, err)
}

func TestPasswordConnectorDataNotEmpty(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion server/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
}
}

r := mux.NewRouter()
r := mux.NewRouter().SkipClean(true).UseEncodedPath()
nabokihms marked this conversation as resolved.
Show resolved Hide resolved
handle := func(p string, h http.Handler) {
r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
}
Expand Down
2 changes: 1 addition & 1 deletion server/templates.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ var scopeDescriptions = map[string]string{
type connectorInfo struct {
ID string
Name string
URL string
URL template.URL
Type string
}

Expand Down