From 9af7d77edf08a8e562320d46a9c0c15f6b5ed891 Mon Sep 17 00:00:00 2001 From: Kartik Ohri Date: Fri, 5 Apr 2024 19:25:49 +0530 Subject: [PATCH] rfc7636: validate code challenge format [Section 4.2 of RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2) mentions the ABNF form to which the code challenge should adhere. authlib currently accepts any string in code_challenge without validating if it matches the format specified in the RFC. Fix the same and also update relevant tests. --- authlib/oauth2/rfc7636/challenge.py | 4 ++++ .../flask/test_oauth2/test_code_challenge.py | 21 ++++++++++++------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/authlib/oauth2/rfc7636/challenge.py b/authlib/oauth2/rfc7636/challenge.py index 8303092e..38e623f9 100644 --- a/authlib/oauth2/rfc7636/challenge.py +++ b/authlib/oauth2/rfc7636/challenge.py @@ -9,6 +9,7 @@ CODE_VERIFIER_PATTERN = re.compile(r'^[a-zA-Z0-9\-._~]{43,128}$') +CODE_CHALLENGE_PATTERN = re.compile(r'^[a-zA-Z0-9\-._~]{43,128}$') def create_s256_code_challenge(code_verifier): @@ -76,6 +77,9 @@ def validate_code_challenge(self, grant): if not challenge: raise InvalidRequestError('Missing "code_challenge"') + if not CODE_CHALLENGE_PATTERN.match(challenge): + raise InvalidRequestError('Invalid "code_challenge"') + if method and method not in self.SUPPORTED_CODE_CHALLENGE_METHOD: raise InvalidRequestError('Unsupported "code_challenge_method"') diff --git a/tests/flask/test_oauth2/test_code_challenge.py b/tests/flask/test_oauth2/test_code_challenge.py index f3c25795..a5a740f7 100644 --- a/tests/flask/test_oauth2/test_code_challenge.py +++ b/tests/flask/test_oauth2/test_code_challenge.py @@ -65,18 +65,23 @@ def test_missing_code_challenge(self): def test_has_code_challenge(self): self.prepare_data() - rv = self.client.get(self.authorize_url + '&code_challenge=abc') + rv = self.client.get(self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s') self.assertEqual(rv.data, b'ok') + def test_invalid_code_challenge(self): + self.prepare_data() + rv = self.client.get(self.authorize_url + '&code_challenge=abc&code_challenge_method=plain') + self.assertIn(b'Invalid', rv.data) + def test_invalid_code_challenge_method(self): self.prepare_data() - suffix = '&code_challenge=abc&code_challenge_method=invalid' + suffix = '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s&code_challenge_method=invalid' rv = self.client.get(self.authorize_url + suffix) self.assertIn(b'Unsupported', rv.data) def test_supported_code_challenge_method(self): self.prepare_data() - suffix = '&code_challenge=abc&code_challenge_method=plain' + suffix = '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s&code_challenge_method=plain' rv = self.client.get(self.authorize_url + suffix) self.assertEqual(rv.data, b'ok') @@ -101,7 +106,7 @@ def test_trusted_client_without_code_challenge(self): def test_missing_code_verifier(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -117,7 +122,7 @@ def test_missing_code_verifier(self): def test_trusted_client_missing_code_verifier(self): self.prepare_data('client_secret_basic') - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -133,7 +138,7 @@ def test_trusted_client_missing_code_verifier(self): def test_plain_code_challenge_invalid(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -150,7 +155,7 @@ def test_plain_code_challenge_invalid(self): def test_plain_code_challenge_failed(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -206,7 +211,7 @@ def test_s256_code_challenge_success(self): def test_not_implemented_code_challenge_method(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' url += '&code_challenge_method=S128' rv = self.client.post(url, data={'user_id': '1'})