Potential security fixes

2025-12-10 13:36:45 +03:00 · 2025-07-17 13:41:17 +05:30
parent bde1f7b5d6
commit f83711ecd6
4 changed files with 187 additions and 5 deletions
--- a/src/components/oauth/ConsentPage.tsx
+++ b/src/components/oauth/ConsentPage.tsx
@@ -11,6 +11,7 @@ import { authClient } from '@/lib/auth-client';
 import { apiRequest, showErrorToast } from '@/lib/utils';
 import { toast, Toaster } from 'sonner';
 import { Shield, User, Mail, ChevronRight, AlertTriangle, Loader2 } from 'lucide-react';
+import { isValidRedirectUri, parseRedirectUris } from '@/lib/utils/oauth-validation';

 interface OAuthApplication {
  id: string;
@@ -44,6 +45,7 @@ export default function ConsentPage() {
      const params = new URLSearchParams(window.location.search);
      const clientId = params.get('client_id');
      const scope = params.get('scope');
+      const redirectUri = params.get('redirect_uri');

      if (!clientId) {
        setError('Invalid authorization request: missing client ID');
@@ -59,6 +61,16 @@ export default function ConsentPage() {
        return;
      }

+      // Validate redirect URI if provided
+      if (redirectUri) {
+        const authorizedUris = parseRedirectUris(app.redirectURLs);
+        
+        if (!isValidRedirectUri(redirectUri, authorizedUris)) {
+          setError('Invalid authorization request: unauthorized redirect URI');
+          return;
+        }
+      }
+
      setApplication(app);

      // Parse requested scopes
@@ -91,8 +103,27 @@ export default function ConsentPage() {
        // If denied, redirect back to the application with error
        const params = new URLSearchParams(window.location.search);
        const redirectUri = params.get('redirect_uri');
-        if (redirectUri) {
-          window.location.href = `${redirectUri}?error=access_denied`;
+        
+        if (redirectUri && application) {
+          // Validate redirect URI against authorized URIs
+          const authorizedUris = parseRedirectUris(application.redirectURLs);
+          
+          if (isValidRedirectUri(redirectUri, authorizedUris)) {
+            try {
+              // Parse and reconstruct the URL to ensure it's safe
+              const url = new URL(redirectUri);
+              url.searchParams.set('error', 'access_denied');
+              
+              // Safe to redirect - URI has been validated and sanitized
+              window.location.href = url.toString();
+            } catch (e) {
+              console.error('Failed to parse redirect URI:', e);
+              setError('Invalid redirect URI');
+            }
+          } else {
+            console.error('Unauthorized redirect URI:', redirectUri);
+            setError('Invalid redirect URI');
+          }
        }
      }
    } catch (error) {