fix

Author: wxiaoguang

custom/conf/app.example.ini

@@ -592,6 +592,11 @@ ENABLED = true
 ;; * https://github.com/git-ecosystem/git-credential-manager
 ;; * https://gitea.com/gitea/tea
 ;DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager, tea
+;;
+;; By default, OAuth2 applications can only use "http" and "https" as their redirect URI schemes.
+;; If you need to use other schemes (e.g. for desktop applications), you can specify them here as a comma-separated list.
+;; For example: set "my-scheme, com.example.app" to support "my-scheme://..." and "com.example.app://..." redirect URIs.
+;CUSTOM_SCHEMES =
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

modules/setting/oauth2.go

@@ -99,6 +99,7 @@ var OAuth2 = struct {
 	JWTClaimIssuer             string `ini:"JWT_CLAIM_ISSUER"`
 	MaxTokenLength             int
 	DefaultApplications        []string
+	CustomSchemes              []string
 }{
 	Enabled:                    true,
 	AccessTokenExpirationTime:  3600,

modules/validation/binding.go

@@ -13,7 +13,6 @@ import (
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/glob"
 	"code.gitea.io/gitea/modules/json"
-	"code.gitea.io/gitea/modules/util"
 
 	"gitea.com/go-chi/binding"
 )
@@ -51,7 +50,6 @@ func (j jsonProvider) NewEncoder(writer io.Writer) binding.JSONEncoder {
 func AddBindingRules() {
 	binding.JSONProvider = jsonProvider{}
 	addGitRefNameBindingRule()
-	addValidURLListBindingRule()
 	addValidURLBindingRule()
 	addValidSiteURLBindingRule()
 	addGlobPatternRule()
@@ -80,33 +78,6 @@ func addGitRefNameBindingRule() {
 	})
 }
 
-func addValidURLListBindingRule() {
-	// URL validation rule
-	binding.AddRule(&binding.Rule{
-		IsMatch: func(rule string) bool {
-			return rule == "ValidUrlList"
-		},
-		IsValid: func(errs binding.Errors, name string, val any) (bool, binding.Errors) {
-			str := fmt.Sprintf("%v", val)
-			if len(str) == 0 {
-				errs.Add([]string{name}, binding.ERR_URL, "Url")
-				return false, errs
-			}
-
-			ok := true
-			urls := util.SplitTrimSpace(str, "\n")
-			for _, u := range urls {
-				if !IsValidURL(u) {
-					ok = false
-					errs.Add([]string{name}, binding.ERR_URL, u)
-				}
-			}
-
-			return ok, errs
-		},
-	})
-}
-
 func addValidURLBindingRule() {
 	// URL validation rule
 	binding.AddRule(&binding.Rule{

modules/validation/binding_test.go

@@ -27,7 +27,6 @@ type (
 	TestForm struct {
 		BranchName   string `form:"BranchName" binding:"GitRefName"`
 		URL          string `form:"ValidUrl" binding:"ValidUrl"`
-		URLs         string `form:"ValidUrls" binding:"ValidUrlList"`
 		GlobPattern  string `form:"GlobPattern" binding:"GlobPattern"`
 		RegexPattern string `form:"RegexPattern" binding:"RegexPattern"`
 	}

modules/validation/validurllist_test.go

@@ -78,7 +78,15 @@ func GetInclude(field reflect.StructField) string {
 	return getRuleBody(field, "Include(")
 }
 
-// Validate validate
+func ReportValidationError(errs binding.Errors, data map[string]any, fieldName, classification, errorMsg string) {
+	data["HasError"] = true
+	data["ErrorMsg"] = fieldName + ": " + errorMsg
+	if fieldName != "" && fieldName != "-" {
+		data["Err_"+fieldName] = true
+	}
+	errs.Add([]string{fieldName}, classification, errorMsg)
+}
+
 func Validate(errs binding.Errors, data map[string]any, f Form, l translation.Locale) binding.Errors {
 	if errs.Len() == 0 {
 		return errs

modules/web/middleware/binding.go

@@ -18,6 +18,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/convert"
+	"code.gitea.io/gitea/services/forms"
 )
 
 // ListAccessTokens list all the access tokens
@@ -228,7 +229,10 @@ func CreateOauth2Application(ctx *context.APIContext) {
 	//     "$ref": "#/responses/error"
 
 	data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
-
+	if invalidURI := forms.DetectInvalidOAuth2ApplicationRedirectURI(data.RedirectURIs); invalidURI != "" {
+		ctx.APIError(http.StatusBadRequest, "invalid redirect URI: "+invalidURI)
+		return
+	}
 	app, err := auth_model.CreateOAuth2Application(ctx, auth_model.CreateOAuth2ApplicationOptions{
 		Name:                       data.Name,
 		UserID:                     ctx.Doer.ID,
@@ -382,11 +386,17 @@ func UpdateOauth2Application(ctx *context.APIContext) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/OAuth2Application"
+	//   "400":
+	//     "$ref": "#/responses/error"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 	appID := ctx.PathParamInt64("id")
 
 	data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
+	if invalidURI := forms.DetectInvalidOAuth2ApplicationRedirectURI(data.RedirectURIs); invalidURI != "" {
+		ctx.APIError(http.StatusBadRequest, "invalid redirect URI: "+invalidURI)
+		return
+	}
 
 	app, err := auth_model.UpdateOAuth2Application(ctx, auth_model.UpdateOAuth2ApplicationOptions{
 		Name:                       data.Name,

routers/api/v1/user/app.go

@@ -7,9 +7,12 @@ package forms
 import (
 	"mime/multipart"
 	"net/http"
+	"strings"
 
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/context"
 
@@ -356,14 +359,31 @@ func (f *NewAccessTokenForm) Validate(req *http.Request, errs binding.Errors) bi
 // EditOAuth2ApplicationForm form for editing oauth2 applications
 type EditOAuth2ApplicationForm struct {
 	Name                       string `binding:"Required;MaxSize(255)" form:"application_name"`
-	RedirectURIs               string `binding:"Required;ValidUrlList" form:"redirect_uris"`
+	RedirectURIs               string `binding:"Required" form:"redirect_uris"`
 	ConfidentialClient         bool   `form:"confidential_client"`
 	SkipSecondaryAuthorization bool   `form:"skip_secondary_authorization"`
 }
 
+func DetectInvalidOAuth2ApplicationRedirectURI(uris []string) (invalidURL string) {
+	for _, u := range uris {
+		scheme, _, ok := strings.Cut(u, ":")
+		valid := ok && (strings.EqualFold(scheme, "http") ||
+			strings.EqualFold(scheme, "https") ||
+			util.SliceContainsString(setting.OAuth2.CustomSchemes, scheme, true))
+		if !valid {
+			return u
+		}
+	}
+	return ""
+}
+
 // Validate validates the fields
 func (f *EditOAuth2ApplicationForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
 	ctx := context.GetValidateContext(req)
+	invalidURI := DetectInvalidOAuth2ApplicationRedirectURI(util.SplitTrimSpace(f.RedirectURIs, "\n"))
+	if invalidURI != "" {
+		middleware.ReportValidationError(errs, ctx.Data, "RedirectURIs", binding.ERR_URL, ctx.Locale.TrString("form.url_error", invalidURI))
+	}
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }
 

services/forms/user_form.go

@@ -10,6 +10,7 @@ import (
 
 	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -311,18 +312,25 @@ func TestUserSettingsApplications(t *testing.T) {
 				resp := session.MakeRequest(t, req, http.StatusOK)
 				doc := NewHTMLParser(t, resp.Body)
 				msg := strings.TrimSpace(doc.Find(".ui.message.flash-message").Text())
-				assert.Equal(t, `form.RedirectURIs"ftp://127.0.0.1" is not a valid URL.`, msg)
+				assert.Equal(t, `RedirectURIs: "ftp://127.0.0.1" is not a valid URL.`, msg)
 			})
 
 			t.Run("OK", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
-
+				defer test.MockVariableValue(&setting.OAuth2.CustomSchemes, []string{"my-app"})()
 				req := NewRequestWithValues(t, "POST", "/user/settings/applications/oauth2/2", map[string]string{
 					"application_name":    "Test native app",
 					"redirect_uris":       "http://127.0.0.1",
 					"confidential_client": "false",
 				})
 				session.MakeRequest(t, req, http.StatusSeeOther)
+
+				req = NewRequestWithValues(t, "POST", "/user/settings/applications/oauth2/2", map[string]string{
+					"application_name":    "Test native app",
+					"redirect_uris":       "my-app://127.0.0.1",
+					"confidential_client": "false",
+				})
+				session.MakeRequest(t, req, http.StatusSeeOther)
 			})
 		})
 	})