From 8412f04ba4adcbd18e678bce72af8c26913f3e4d Mon Sep 17 00:00:00 2001 From: Tobias Polley Date: Thu, 14 Mar 2024 12:02:49 +0100 Subject: [PATCH] check encoding --- .../oauth2client/FlowInitiator.java | 6 ++++ .../oauth2client/LoginParameter.java | 31 ++++++++++--------- .../OAuth2Resource2Interceptor.java | 2 ++ .../client/b2c/OAuth2ResourceB2CTest.java | 4 +-- 4 files changed, 27 insertions(+), 16 deletions(-) diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/FlowInitiator.java b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/FlowInitiator.java index 1a5f59843e..29554e5d23 100644 --- a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/FlowInitiator.java +++ b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/FlowInitiator.java @@ -73,6 +73,12 @@ public void setAfterLoginUrl(String afterLoginUrl) { this.afterLoginUrl = afterLoginUrl; } + @Override + public void init() throws Exception { + for (LoginParameter loginParameter : loginParameters) + loginParameter.init(); + } + @Override public Outcome handleRequest(Exchange exc) throws Exception { // remove session diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/LoginParameter.java b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/LoginParameter.java index 4d8728886c..1757c05705 100644 --- a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/LoginParameter.java +++ b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/LoginParameter.java @@ -13,7 +13,6 @@ limitations under the License. */ package com.predic8.membrane.core.interceptor.oauth2client; -import com.bornium.http.util.UriUtil; import com.predic8.membrane.annot.MCAttribute; import com.predic8.membrane.annot.MCElement; import com.predic8.membrane.core.exchange.Exchange; @@ -21,10 +20,13 @@ import com.predic8.membrane.core.util.URLParamUtil; import java.io.UnsupportedEncodingException; +import java.net.URLEncoder; import java.util.List; import java.util.Map; import java.util.stream.Collectors; +import static java.nio.charset.StandardCharsets.UTF_8; + @MCElement(name = "loginParameter") public class LoginParameter { @@ -38,6 +40,11 @@ public LoginParameter(String name, String value) { this.value = value; } + public void init() throws UnsupportedEncodingException { + if (!name.equals(URLEncoder.encode(name, UTF_8))) + throw new RuntimeException(" may only take a name which is identical under URL encoding so far: " + name); + } + public static String copyLoginParameters(Exchange exc, List loginParameters) throws Exception { StringBuilder sb = new StringBuilder(); @@ -46,23 +53,19 @@ public static String copyLoginParameters(Exchange exc, List logi Map params = URLParamUtil.getParams(new URIFactory(), exc, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR); loginParameters.forEach(lp -> { - try { - if (lp.getValue() != null) { + if (lp.getValue() != null) { + sb.append("&"); + sb.append(lp.getName()); + sb.append("="); + sb.append(URLEncoder.encode(lp.getValue(), UTF_8)); + } else { + if (params.containsKey(lp.getName())) { + String encoded = URLEncoder.encode(params.get(lp.getName()), UTF_8); sb.append("&"); sb.append(lp.getName()); sb.append("="); - sb.append(UriUtil.encode(lp.getValue())); - } else { - if (params.containsKey(lp.getName())) { - String encoded = UriUtil.encode(params.get(lp.getName())); - sb.append("&"); - sb.append(lp.getName()); - sb.append("="); - sb.append(encoded); - } + sb.append(encoded); } - } catch (UnsupportedEncodingException e) { - throw new RuntimeException(e); } }); diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java index 6226b2c45b..86dabe4454 100644 --- a/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java +++ b/core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java @@ -109,6 +109,8 @@ public void init(Router router) throws Exception { oAuth2CallbackRequestHandler.init(uriFactory, auth, originalExchangeStore, accessTokenRevalidator, sessionAuthorizer, publicUrlManager, callbackPath, onlyRefreshToken); tokenAuthenticator.init(sessionAuthorizer, statistics, accessTokenRevalidator, auth); + for (LoginParameter loginParameter : loginParameters) + loginParameter.init(); } @Override diff --git a/core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java b/core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java index 82cddaac59..8e75123174 100644 --- a/core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java +++ b/core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java @@ -356,7 +356,7 @@ public void loginParams() throws Exception { @Test public void loginParamsPerFlow() throws Exception { - Exchange exc = new Request.Builder().get(getClientAddress() + "/pe/init?domain_hint=flow&illegal=true").buildExchange(); + Exchange exc = new Request.Builder().get(getClientAddress() + "/pe/init?domain_hint=flow%c3%b6&illegal=true").buildExchange(); browser.applyWithoutRedirect(exc); String location = exc.getResponse().getHeader().getFirstValue("Location"); @@ -369,7 +369,7 @@ public void loginParamsPerFlow() throws Exception { assertTrue(params.containsKey("fooflow")); assertEquals("bar", params.get("foo")); assertTrue(params.containsKey("domain_hint")); - assertEquals("flow", params.get("domain_hint")); + assertEquals("flow\u00f6", params.get("domain_hint")); // 'c3 b6' in UTF-8 for unicode '00 f6': o umlaut assertFalse(params.containsKey("illegal")); }