fix: forbid redirect_uri with an empty fragment component

panva · Oct 8, 2019 · ca196a0 · ca196a0
1 parent 217746c
commit ca196a0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 10 deletions.
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -1,4 +1,4 @@
-const { URL } = require('url');
+const url = require('url');
 
 const clone = require('lodash/clone');
 const without = require('lodash/without');
@@ -474,7 +474,7 @@ module.exports = function getSchema(provider) {
       if (this.application_type === 'web') return;
 
       this.redirect_uris = this.redirect_uris.map((redirectUri) => {
-        const parsed = new URL(redirectUri);
+        const parsed = new url.URL(redirectUri);
         // remove the port component, making dynamic ports allowed for loopback uris
         if (parsed.protocol === 'http:' && LOOPBACKS.includes(parsed.hostname)) {
           parsed.port = 80; // http + 80 = no port part in the string
@@ -488,7 +488,7 @@ module.exports = function getSchema(provider) {
     postLogoutRedirectUris() {
       this.post_logout_redirect_uris.forEach((uri) => {
         try {
-          new URL(uri); // eslint-disable-line no-new
+          new url.URL(uri); // eslint-disable-line no-new
         } catch (err) {
           invalidate('post_logout_redirect_uris must only contain uris');
         }
@@ -502,7 +502,7 @@ module.exports = function getSchema(provider) {
         let protocol;
 
         try {
-          ({ origin, protocol } = new URL(uri));
+          ({ origin, protocol } = new url.URL(uri));
         } catch (err) {
           invalidate('web_message_uris must only contain valid uris');
         }
@@ -517,16 +517,14 @@ module.exports = function getSchema(provider) {
 
     redirectUris() {
       this.redirect_uris.forEach((redirectUri) => {
-        let hostname;
-        let protocol;
-        let hash;
-
         try {
-          ({ hash, hostname, protocol } = new URL(redirectUri));
+          new url.URL(redirectUri); // eslint-disable-line no-new
         } catch (err) {
           invalidate('redirect_uris must only contain valid uris');
         }
 
+        const { hash, hostname, protocol } = url.parse(redirectUri);
+
         if (hash) {
           invalidate('redirect_uris must not contain fragments');
         }

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -315,7 +315,8 @@ describe('Client metadata validation', () => {
     allows(this.title, ['https://some'], {
       application_type: 'web',
     });
-    rejects(this.title, ['https://some#whatever'], undefined, {
+    rejects(this.title, ['https://rp.example.com#'], /redirect_uris must not contain fragments$/);
+    rejects(this.title, ['https://rp.example.com#whatever'], /redirect_uris must not contain fragments$/, {
       application_type: 'web',
     });
     rejects(this.title, ['no-dot-reverse-notation:/some'], undefined, {