From 7db3ec246ef5578b0dd7bd129e6cf08b5f602e43 Mon Sep 17 00:00:00 2001 From: Carlos Quintana <74399022+cquintana92@users.noreply.github.com> Date: Thu, 21 Jul 2022 14:23:08 +0200 Subject: [PATCH] Mitigate open redirect with OAuth (#1176) * Mitigate open redirect with OAuth * Fix tests --- app/oauth/views/authorize.py | 8 ++++---- tests/oauth/test_authorize.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/oauth/views/authorize.py b/app/oauth/views/authorize.py index 98a0b08a..1841b7ee 100644 --- a/app/oauth/views/authorize.py +++ b/app/oauth/views/authorize.py @@ -78,13 +78,13 @@ def authorize(): if hostname != "localhost" and hostname != "127.0.0.1": # support custom scheme for mobile app if scheme == "http": - final_redirect_uri = f"{redirect_uri}?error=http_not_allowed" - return redirect(final_redirect_uri) + flash("The external client must use HTTPS", "error") + return redirect(url_for("dashboard.index")) # check if redirect_uri is valid if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri): - final_redirect_uri = f"{redirect_uri}?error=unknown_redirect_uri" - return redirect(final_redirect_uri) + flash("The external client is using an invalid URL", "error") + return redirect(url_for("dashboard.index")) # redirect from client website if request.method == "GET": diff --git a/tests/oauth/test_authorize.py b/tests/oauth/test_authorize.py index 2be9a717..de4b357e 100644 --- a/tests/oauth/test_authorize.py +++ b/tests/oauth/test_authorize.py @@ -724,7 +724,7 @@ def test_authorize_page_http_not_allowed(flask_client): ) assert r.status_code == 302 - assert r.location == "http://mywebsite.com?error=http_not_allowed" + assert r.location == url_for("dashboard.index") def test_authorize_page_unknown_redirect_uri(flask_client): @@ -746,4 +746,4 @@ def test_authorize_page_unknown_redirect_uri(flask_client): ) assert r.status_code == 302 - assert r.location == "https://unknown.com?error=unknown_redirect_uri" + assert r.location == url_for("dashboard.index")