Skip to content

Commit 787d61e

Browse files
wxiaoguangwxiaoguang
committed
fine tune DetectInvalidOAuth2ApplicationRedirectURI
1 parent 4d4e4df commit 787d61e

2 files changed

Lines changed: 30 additions & 10 deletions

File tree

services/forms/user_form.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313
"code.gitea.io/gitea/modules/setting"
1414
"code.gitea.io/gitea/modules/structs"
1515
"code.gitea.io/gitea/modules/util"
16+
"code.gitea.io/gitea/modules/validation"
1617
"code.gitea.io/gitea/modules/web/middleware"
1718
"code.gitea.io/gitea/services/context"
1819

@@ -367,9 +368,7 @@ type EditOAuth2ApplicationForm struct {
367368
func DetectInvalidOAuth2ApplicationRedirectURI(uris []string) (invalidURL string) {
368369
for _, u := range uris {
369370
scheme, _, ok := strings.Cut(u, ":")
370-
valid := ok && (strings.EqualFold(scheme, "http") ||
371-
strings.EqualFold(scheme, "https") ||
372-
util.SliceContainsString(setting.OAuth2.CustomSchemes, scheme, true))
371+
valid := ok && (validation.IsValidURL(u) || util.SliceContainsString(setting.OAuth2.CustomSchemes, scheme))
373372
if !valid {
374373
return u
375374
}

services/forms/user_form_test.go

Lines changed: 28 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,9 @@ import (
1414
)
1515

1616
func TestRegisterForm_IsDomainAllowed_Empty(t *testing.T) {
17-
oldService := setting.Service
18-
defer func() {
19-
setting.Service = oldService
20-
}()
21-
17+
defer test.MockVariableValue(&setting.Service)()
2218
setting.Service.EmailDomainAllowList = nil
23-
2419
form := RegisterForm{}
25-
2620
assert.True(t, form.IsEmailDomainAllowed())
2721
}
2822

@@ -87,3 +81,30 @@ func TestRegisterForm_IsDomainAllowed_BlockedEmail(t *testing.T) {
8781
assert.Equal(t, v.valid, form.IsEmailDomainAllowed())
8882
}
8983
}
84+
85+
func TestDetectInvalidOAuth2ApplicationRedirectURI(t *testing.T) {
86+
defer test.MockVariableValue(&setting.OAuth2.CustomSchemes)()
87+
setting.OAuth2.CustomSchemes = []string{"my-app"}
88+
assertValid := func(t *testing.T, s string, valid bool) {
89+
ret := DetectInvalidOAuth2ApplicationRedirectURI([]string{s})
90+
if valid {
91+
assert.Empty(t, ret)
92+
} else {
93+
assert.Equal(t, s, ret)
94+
}
95+
}
96+
assertValid(t, "my-app:", true)
97+
assertValid(t, "my-app:/foo", true)
98+
assertValid(t, "http://foo", true)
99+
assertValid(t, "https://foo", true)
100+
101+
assertValid(t, "my-app", false)
102+
assertValid(t, "ftp:", false)
103+
assertValid(t, "ftp://foo", false)
104+
assertValid(t, "https://[invalid", false)
105+
106+
ret := DetectInvalidOAuth2ApplicationRedirectURI([]string{"my-app:", "http://foo", "https://foo"})
107+
assert.Empty(t, ret)
108+
ret = DetectInvalidOAuth2ApplicationRedirectURI([]string{"my-app:", "http://foo", "invalid", "https://foo"})
109+
assert.Equal(t, "invalid", ret)
110+
}

0 commit comments

Comments
 (0)