Add validation check for presence of forbidden query parameters in OAuth2 TokenEndpoint, IntrospectionEndpoint and RevocationEndpoint

4 files changed, 18 insertions, 1 deletions

diff --git a/oauthlib/oauth2/rfc6749/endpoints/base.py b/oauthlib/oauth2/rfc6749/endpoints/base.py
index c0fc726..29086e4 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/base.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/base.py
@@ -15,6 +15,8 @@ from ..errors import (FatalClientError, OAuth2Error, ServerError,
                       TemporarilyUnavailableError, InvalidRequestError,
                       InvalidClientError, UnsupportedTokenTypeError)
 
+from oauthlib.common import CaseInsensitiveDict
+
 log = logging.getLogger(__name__)
 
 
@@ -23,6 +25,7 @@ class BaseEndpoint(object):
     def __init__(self):
         self._available = True
         self._catch_errors = False
+        self._blacklist_query_params = {'client_secret', 'code_verifier'}
 
     @property
     def available(self):
@@ -62,6 +65,15 @@ class BaseEndpoint(object):
             request.token_type_hint not in self.supported_token_types):
             raise UnsupportedTokenTypeError(request=request)
 
+    def _raise_on_bad_post_request(self, request):
+        """Raise if invalid POST request received
+        """
+        if request.http_method.lower() == 'post':
+            query_params = CaseInsensitiveDict(urldecode(request.uri_query))
+            for k in self._blacklist_query_params:
+                if k in query_params:
+                    raise InvalidRequestError(request=request,
+                                              description='Query parameters not allowed')
 
 def catch_errors_and_unavailability(f):
     @functools.wraps(f)
diff --git a/oauthlib/oauth2/rfc6749/endpoints/introspect.py b/oauthlib/oauth2/rfc6749/endpoints/introspect.py
index 47022fd..547e7db 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/introspect.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/introspect.py
@@ -117,6 +117,7 @@ class IntrospectEndpoint(BaseEndpoint):
         .. _`section 1.5`: http://tools.ietf.org/html/rfc6749#section-1.5
         .. _`RFC6749`: http://tools.ietf.org/html/rfc6749
         """
+        self._raise_on_bad_post_request(request)
         self._raise_on_missing_token(request)
         self._raise_on_invalid_client(request)
         self._raise_on_unsupported_token(request)
diff --git a/oauthlib/oauth2/rfc6749/endpoints/revocation.py b/oauthlib/oauth2/rfc6749/endpoints/revocation.py
index fda3f30..1439491 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/revocation.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/revocation.py
@@ -121,6 +121,7 @@ class RevocationEndpoint(BaseEndpoint):
         .. _`Section 4.1.2`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2
         .. _`RFC6749`: https://tools.ietf.org/html/rfc6749
         """
+        self._raise_on_bad_post_request(request)
         self._raise_on_missing_token(request)
         self._raise_on_invalid_client(request)
         self._raise_on_unsupported_token(request)
diff --git a/oauthlib/oauth2/rfc6749/endpoints/token.py b/oauthlib/oauth2/rfc6749/endpoints/token.py
index 90fb16f..223e8d0 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/token.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/token.py
@@ -91,7 +91,7 @@ class TokenEndpoint(BaseEndpoint):
         """Extract grant_type and route to the designated handler."""
         request = Request(
             uri, http_method=http_method, body=body, headers=headers)
-
+        self.validate_token_request(request)
         # 'scope' is an allowed Token Request param in both the "Resource Owner Password Credentials Grant"
         # and "Client Credentials Grant" flows
         # https://tools.ietf.org/html/rfc6749#section-4.3.2
@@ -115,3 +115,6 @@ class TokenEndpoint(BaseEndpoint):
                   request.grant_type, grant_type_handler)
         return grant_type_handler.create_token_response(
             request, self.default_token_type)
+
+    def validate_token_request(self, request):
+        self._raise_on_bad_post_request(request)