correctly handle path escaping for connector IDs

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

correctly handle path escaping for connector IDs
8fd69c16 · Bob Callaway · ff6e7c76 · 8fd69c16 · 8fd69c16 · 8fd69c16
Commit 8fd69c16 authored 3 years ago by Bob Callaway
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -153,7 +153,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 	if connectorID != "" {
 		for _, c := range connectors {
 			if c.ID == connectorID {
-				connURL.Path = s.absPath("/auth", c.ID)
+				connURL.Path = s.absPath("/auth", url.PathEscape(c.ID))
 				http.Redirect(w, r, connURL.String(), http.StatusFound)
 				return
 			}
@@ -163,13 +163,13 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 	}

 	if len(connectors) == 1 && !s.alwaysShowLogin {
-		connURL.Path = s.absPath("/auth", connectors[0].ID)
+		connURL.Path = s.absPath("/auth", url.PathEscape(connectors[0].ID))
 		http.Redirect(w, r, connURL.String(), http.StatusFound)
 	}

 	connectorInfos := make([]connectorInfo, len(connectors))
 	for index, conn := range connectors {
-		connURL.Path = s.absPath("/auth", conn.ID)
+		connURL.Path = s.absPath("/auth", url.PathEscape(conn.ID))
 		connectorInfos[index] = connectorInfo{
 			ID:   conn.ID,
 			Name: conn.Name,
@@ -200,7 +200,13 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	connID := mux.Vars(r)["connector"]
+	connID, err := url.PathUnescape(mux.Vars(r)["connector"])
+	if err != nil {
+		s.logger.Errorf("Failed to parse connector: %v", err)
+		s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist")
+		return
+	}
+
 	conn, err := s.getConnector(connID)
 	if err != nil {
 		s.logger.Errorf("Failed to get connector: %v", err)
@@ -316,7 +322,12 @@ func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if connID := mux.Vars(r)["connector"]; connID != "" && connID != authReq.ConnectorID {
+	connID, err := url.PathUnescape(mux.Vars(r)["connector"])
+	if err != nil {
+		s.logger.Errorf("Failed to parse connector: %v", err)
+		s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist")
+		return
+	} else if connID != "" && connID != authReq.ConnectorID {
 		s.logger.Errorf("Connector mismatch: authentication started with id %q, but password login for id %q was triggered", authReq.ConnectorID, connID)
 		s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
 		return
@@ -401,7 +412,12 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	if connID := mux.Vars(r)["connector"]; connID != "" && connID != authReq.ConnectorID {
+	connID, err := url.PathUnescape(mux.Vars(r)["connector"])
+	if err != nil {
+		s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
+		s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
+		return
+	} else if connID != "" && connID != authReq.ConnectorID {
 		s.logger.Errorf("Connector mismatch: authentication started with id %q, but callback for id %q was triggered", authReq.ConnectorID, connID)
 		s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
 		return

--- a/server/handlers_test.go
+++ b/server/handlers_test.go
@@ -254,6 +254,15 @@ func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {

 	err = s.CreateConnector(c1)
 	require.NoError(t, err)
+
+	c2 := storage.Connector{
+		ID:   "http://any.valid.url/",
+		Type: "mock",
+		Name: "mockURLID",
+	}
+
+	err = s.CreateConnector(c2)
+	require.NoError(t, err)
 }

 func TestPasswordConnectorDataNotEmpty(t *testing.T) {

--- a/server/server.go
+++ b/server/server.go
@@ -302,7 +302,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		}
 	}

-	r := mux.NewRouter()
+	r := mux.NewRouter().SkipClean(true).UseEncodedPath()
 	handle := func(p string, h http.Handler) {
 		r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
 	}