Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password reset improperlly handles url-encoded query parameters in reset_url #17119

Closed
tofran opened this issue Jan 12, 2023 · 1 comment · Fixed by #17120
Closed

Password reset improperlly handles url-encoded query parameters in reset_url #17119

tofran opened this issue Jan 12, 2023 · 1 comment · Fixed by #17120

Comments

@tofran
Copy link
Contributor

tofran commented Jan 12, 2023

Describe the Bug

URL handling is not properly encoding query parameter components according to the spec, this leads to various bugs. Found it requesting reset password emails.

The affecting code is:

Object.keys(this.query).length !== 0
? `?${Object.entries(this.query)
.map(([k, v]) => `${k}=${v}`)
.join('&')}`
: '';

We cannot be building URLs by hand without non RFC compliant character handling.

To Reproduce

  1. Request a password reset request with a reset_url containing encoded characters
    With the REST api:

    curl --request POST \
        --url "$BASE_URL/auth/password/request" \
        --header 'content-type: application/json' \
        --data '{
              "email": "sample@example.com",
              "reset_url": "https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21"
        }'

    Optionally in GraphQL:

    mutation auth_password_request {
        auth_password_request(
            email: "sample@example.com"
            reset_url: "https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21"
        )
    }

    As you can see the URL contains a parameter sample_encoded_parameter with the value sample+value! (when encoded corresponds to sample%2Bvalue%21)

  2. An email will be sent with the following reset link:

    https://example.com/sample-ath?sample_encoded_parameter=sample+value!&token=JWT_TOKEN_REDACTED
    

    Instead we should be receiving

    https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21&token=JWT_TOKEN_REDACTED
    

    Directus is unescaping the query parameters, and they should be kept as is (here demonstrated for values, but affects keys too).

Errors Shown

No response

What version of Directus are you using?

9.22.4

What version of Node.js are you using?

18.13.0

What database are you using?

(not relevant) PostgreSQL 13

What browser are you using?

(not relevant) Chrome

How are you deploying Directus?

locally and Docker
PaaS is not affected

@github-actions
Copy link

Linear: ENG-476

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant