Ignore the trailing slashes when comparing oauth2 redirect_uri (#26597) (#26618)

GiteaBot · wxiaoguang · web-flow · commit 4aed0e6b074b · 2023-08-21T14:19:43.000+08:00
Backport #26597 by @wxiaoguang Fix #26526 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
@@ -53,6 +53,15 @@ func (app *OAuth2Application) TableName() string {
 
 // ContainsRedirectURI checks if redirectURI is allowed for app
 func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
+	contains := func(s string) bool {
+		s = strings.TrimSuffix(strings.ToLower(s), "/")
+		for _, u := range app.RedirectURIs {
+			if strings.TrimSuffix(strings.ToLower(u), "/") == s {
+				return true
+			}
+		}
+		return false
+	}
 	if !app.ConfidentialClient {
 		uri, err := url.Parse(redirectURI)
 		// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
@@ -61,13 +70,13 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
 			if ip != nil && ip.IsLoopback() {
 				// strip port
 				uri.Host = uri.Hostname()
-				if util.SliceContainsString(app.RedirectURIs, uri.String(), true) {
+				if contains(uri.String()) {
 					return true
 				}
 			}
 		}
 	}
-	return util.SliceContainsString(app.RedirectURIs, redirectURI, true)
+	return contains(redirectURI)
 }
 
 // Base32 characters, but lowercased.
diff --git a/models/auth/oauth2_test.go b/models/auth/oauth2_test.go
@@ -63,6 +63,18 @@ func TestOAuth2Application_ContainsRedirectURI_WithPort(t *testing.T) {
 	assert.False(t, app.ContainsRedirectURI(":"))
 }
 
+func TestOAuth2Application_ContainsRedirect_Slash(t *testing.T) {
+	app := &auth_model.OAuth2Application{RedirectURIs: []string{"http://127.0.0.1"}}
+	assert.True(t, app.ContainsRedirectURI("http://127.0.0.1"))
+	assert.True(t, app.ContainsRedirectURI("http://127.0.0.1/"))
+	assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other"))
+
+	app = &auth_model.OAuth2Application{RedirectURIs: []string{"http://127.0.0.1/"}}
+	assert.True(t, app.ContainsRedirectURI("http://127.0.0.1"))
+	assert.True(t, app.ContainsRedirectURI("http://127.0.0.1/"))
+	assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other"))
+}
+
 func TestOAuth2Application_ValidateClientSecret(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,15 @@ func (app *OAuth2Application) TableName() string {`
`53`	`53`
`54`	`54`	`// ContainsRedirectURI checks if redirectURI is allowed for app`
`55`	`55`	`func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {`
	`56`	`+ contains := func(s string) bool {`
	`57`	`+ s = strings.TrimSuffix(strings.ToLower(s), "/")`
	`58`	`+ for _, u := range app.RedirectURIs {`
	`59`	`+ if strings.TrimSuffix(strings.ToLower(u), "/") == s {`
	`60`	`+ return true`
	`61`	`+ }`
	`62`	`+ }`
	`63`	`+ return false`
	`64`	`+ }`
`56`	`65`	`if !app.ConfidentialClient {`
`57`	`66`	`uri, err := url.Parse(redirectURI)`
`58`	`67`	`// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3`
`@@ -61,13 +70,13 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {`
`61`	`70`	`if ip != nil && ip.IsLoopback() {`
`62`	`71`	`// strip port`
`63`	`72`	`uri.Host = uri.Hostname()`
`64`		`- if util.SliceContainsString(app.RedirectURIs, uri.String(), true) {`
	`73`	`+ if contains(uri.String()) {`
`65`	`74`	`return true`
`66`	`75`	`}`
`67`	`76`	`}`
`68`	`77`	`}`
`69`	`78`	`}`
`70`		`- return util.SliceContainsString(app.RedirectURIs, redirectURI, true)`
	`79`	`+ return contains(redirectURI)`
`71`	`80`	`}`
`72`	`81`
`73`	`82`	`// Base32 characters, but lowercased.`