New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL persister uses | to store scopes and audiences without any escaping #2859
Comments
Good point and thank you for the thorough review! I'd like to add though that spaces
Thus, Contribs welcomed :) |
@grantzvolsky we have changed this to a different method which now uses JSON for these types of arrays. The relevant type is this one: https://github.com/ory/x/blob/7112e2632340e269159c73b5ebde8149374aecea/sqlxx/types.go#L267 Maybe it makes sense as part of Hydra 2.0 to address this since we're changing the schema anyways? |
I have code that helps you convert the piped version to a JSON array literal. I can show you when you take a look at this. |
@aeneasr I'll keep this in mind and let you know when I need it. Thanks! |
Preflight checklist
Describe the bug
See here:
|
is not a reserved character in any way and could happen to be included inside scopes and audiences. This means that if any legitimate scope contains|
character (e.g.,user|mails|read
), this will break. I have not seen this character be used like that in scopes (generally people use:
or/
or.
) but still, I think it is unnecessary potential issue. If you want to use this custom encoding of a list (and not use JSON or something), then you have to escape|
inside scopes and audiences.On the other hand,
(space) cannot happen to be in scopes or audiences, because it is a reserved character by the spec itself, so I would suggest that this is simple replaced with
as delimiter.
Reproducing the bug
This was found during code review.
Relevant log output
No response
Relevant configuration
No response
Version
observed on current master branch
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: