From 38498835989d1610e0224f5a5c8473433b9123df Mon Sep 17 00:00:00 2001 From: Enrico Marconi Date: Wed, 29 Nov 2023 11:17:00 +0100 Subject: [PATCH] Validate domain-linkage URL making sure they only include an origin --- .../domain_linkage_configuration.rs | 3 +++ .../domain_linkage_credential_builder.rs | 17 +++++++++++++++++ .../domain_linkage/domain_linkage_validator.rs | 6 ++++++ 3 files changed, 26 insertions(+) diff --git a/identity_credential/src/domain_linkage/domain_linkage_configuration.rs b/identity_credential/src/domain_linkage/domain_linkage_configuration.rs index 2e4eaf3493..15637df441 100644 --- a/identity_credential/src/domain_linkage/domain_linkage_configuration.rs +++ b/identity_credential/src/domain_linkage/domain_linkage_configuration.rs @@ -128,6 +128,9 @@ mod __fetch_configuration { if domain.scheme() != "https" { return Err(DomainLinkageError("domain` does not use `https` protocol".into())); } + if domain.path() != "/" || domain.query().is_some() || domain.fragment().is_some() { + return Err(DomainLinkageError("domain mut not include any path, query of fragment".into())); + } domain.set_path(".well-known/did-configuration.json"); let client: Client = reqwest::ClientBuilder::new() diff --git a/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs b/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs index 96e3323718..2ae7db01af 100644 --- a/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs +++ b/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs @@ -74,6 +74,11 @@ impl DomainLinkageCredentialBuilder { "origin must be a domain with http(s) scheme".into(), )); } + if origin.path() != "/" || origin.query().is_some() || origin.fragment().is_some() { + return Err(Error::DomainLinkageError( + "origin must not contain any path, query or fragment".into() + )) + } let mut properties: Object = Object::new(); properties.insert("origin".into(), origin.into_string().into()); @@ -139,6 +144,18 @@ mod tests { .unwrap_err(); assert!(matches!(err, Error::DomainLinkageError(_))); } + #[test] + fn test_builder_origin_is_a_url() { + let issuer: CoreDID = "did:example:issuer".parse().unwrap(); + let err: Error = DomainLinkageCredentialBuilder::new() + .issuance_date(Timestamp::now_utc()) + .expiration_date(Timestamp::now_utc()) + .issuer(issuer) + .origin(Url::parse("https://example.com/foo?bar=420#baz").unwrap()) + .build() + .unwrap_err(); + assert!(matches!(err, Error::DomainLinkageError(_))); + } #[test] fn test_builder_no_issuer() { diff --git a/identity_credential/src/domain_linkage/domain_linkage_validator.rs b/identity_credential/src/domain_linkage/domain_linkage_validator.rs index aa2fd8e656..bacde4ef75 100644 --- a/identity_credential/src/domain_linkage/domain_linkage_validator.rs +++ b/identity_credential/src/domain_linkage/domain_linkage_validator.rs @@ -190,6 +190,12 @@ impl JwtDomainLinkageValidator { source: Some(Box::new(other_error)), }), }?; + if origin_url.path() != "/" || origin_url.query().is_some() || origin_url.fragment().is_some() { + return Err(DomainLinkageValidationError { + cause: DomainLinkageValidationErrorCause::InvalidSubjectOrigin, + source: None, + }); + } if origin_url.origin() != domain.origin() { return Err(DomainLinkageValidationError { cause: DomainLinkageValidationErrorCause::OriginMismatch,