check <loginParameter> encoding

membrane · Mar 14, 2024 · 8412f04 · 8412f04
1 parent f3eb450
commit 8412f04
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 16 deletions.
diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/FlowInitiator.java b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/FlowInitiator.java
@@ -73,6 +73,12 @@ public void setAfterLoginUrl(String afterLoginUrl) {
         this.afterLoginUrl = afterLoginUrl;
     }
 
+    @Override
+    public void init() throws Exception {
+        for (LoginParameter loginParameter : loginParameters)
+            loginParameter.init();
+    }
+
     @Override
     public Outcome handleRequest(Exchange exc) throws Exception {
         // remove session

diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/LoginParameter.java b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/LoginParameter.java
@@ -13,18 +13,20 @@
    limitations under the License. */
 package com.predic8.membrane.core.interceptor.oauth2client;
 
-import com.bornium.http.util.UriUtil;
 import com.predic8.membrane.annot.MCAttribute;
 import com.predic8.membrane.annot.MCElement;
 import com.predic8.membrane.core.exchange.Exchange;
 import com.predic8.membrane.core.util.URIFactory;
 import com.predic8.membrane.core.util.URLParamUtil;
 
 import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 @MCElement(name = "loginParameter")
 public class LoginParameter {
 
@@ -38,6 +40,11 @@ public LoginParameter(String name, String value) {
         this.value = value;
     }
 
+    public void init() throws UnsupportedEncodingException {
+        if (!name.equals(URLEncoder.encode(name, UTF_8)))
+            throw new RuntimeException("<loginParameter /> may only take a name which is identical under URL encoding so far: " + name);
+    }
+
     public static String copyLoginParameters(Exchange exc, List<LoginParameter> loginParameters) throws Exception {
         StringBuilder sb = new StringBuilder();
 
@@ -46,23 +53,19 @@ public static String copyLoginParameters(Exchange exc, List<LoginParameter> logi
 
         Map<String, String> params = URLParamUtil.getParams(new URIFactory(), exc, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR);
         loginParameters.forEach(lp -> {
-            try {
-                if (lp.getValue() != null) {
+            if (lp.getValue() != null) {
+                sb.append("&");
+                sb.append(lp.getName());
+                sb.append("=");
+                sb.append(URLEncoder.encode(lp.getValue(), UTF_8));
+            } else {
+                if (params.containsKey(lp.getName())) {
+                    String encoded = URLEncoder.encode(params.get(lp.getName()), UTF_8);
                     sb.append("&");
                     sb.append(lp.getName());
                     sb.append("=");
-                    sb.append(UriUtil.encode(lp.getValue()));
-                } else {
-                    if (params.containsKey(lp.getName())) {
-                        String encoded = UriUtil.encode(params.get(lp.getName()));
-                        sb.append("&");
-                        sb.append(lp.getName());
-                        sb.append("=");
-                        sb.append(encoded);
-                    }
+                    sb.append(encoded);
                 }
-            } catch (UnsupportedEncodingException e) {
-                throw new RuntimeException(e);
             }
         });
 

diff --git a/...n/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java b/...n/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java
@@ -109,6 +109,8 @@ public void init(Router router) throws Exception {
         oAuth2CallbackRequestHandler.init(uriFactory, auth, originalExchangeStore, accessTokenRevalidator,
                 sessionAuthorizer, publicUrlManager, callbackPath, onlyRefreshToken);
         tokenAuthenticator.init(sessionAuthorizer, statistics, accessTokenRevalidator, auth);
+        for (LoginParameter loginParameter : loginParameters)
+            loginParameter.init();
     }
 
     @Override

diff --git a/...t/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java b/...t/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java
@@ -356,7 +356,7 @@ public void loginParams() throws Exception {
 
     @Test
     public void loginParamsPerFlow() throws Exception {
-        Exchange exc = new Request.Builder().get(getClientAddress() + "/pe/init?domain_hint=flow&illegal=true").buildExchange();
+        Exchange exc = new Request.Builder().get(getClientAddress() + "/pe/init?domain_hint=flow%c3%b6&illegal=true").buildExchange();
         browser.applyWithoutRedirect(exc);
 
         String location = exc.getResponse().getHeader().getFirstValue("Location");
@@ -369,7 +369,7 @@ public void loginParamsPerFlow() throws Exception {
         assertTrue(params.containsKey("fooflow"));
         assertEquals("bar", params.get("foo"));
         assertTrue(params.containsKey("domain_hint"));
-        assertEquals("flow", params.get("domain_hint"));
+        assertEquals("flow\u00f6", params.get("domain_hint")); // 'c3 b6' in UTF-8 for unicode '00 f6': o umlaut
         assertFalse(params.containsKey("illegal"));
     }