diff options
author | Abhishek Patel <5524161+Abhishek8394@users.noreply.github.com> | 2019-05-06 22:28:23 -0700 |
---|---|---|
committer | Abhishek Patel <5524161+Abhishek8394@users.noreply.github.com> | 2019-05-14 00:37:59 -0700 |
commit | bbbcca731d5db16d7b1765070880aa54288788e9 (patch) | |
tree | 3073af1a6721c904af1922e836c80c1ac06c38d8 | |
parent | 18425dd9634c14c8eba7377f53699db5f3c3e97a (diff) | |
download | oauthlib-bbbcca731d5db16d7b1765070880aa54288788e9.tar.gz |
Add validation check for presence of forbidden query parameters in OAuth2 TokenEndpoint, IntrospectionEndpoint and RevocationEndpoint
-rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/base.py | 12 | ||||
-rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/introspect.py | 1 | ||||
-rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/revocation.py | 1 | ||||
-rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/token.py | 5 |
4 files changed, 18 insertions, 1 deletions
diff --git a/oauthlib/oauth2/rfc6749/endpoints/base.py b/oauthlib/oauth2/rfc6749/endpoints/base.py index c0fc726..29086e4 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/base.py +++ b/oauthlib/oauth2/rfc6749/endpoints/base.py @@ -15,6 +15,8 @@ from ..errors import (FatalClientError, OAuth2Error, ServerError, TemporarilyUnavailableError, InvalidRequestError, InvalidClientError, UnsupportedTokenTypeError) +from oauthlib.common import CaseInsensitiveDict + log = logging.getLogger(__name__) @@ -23,6 +25,7 @@ class BaseEndpoint(object): def __init__(self): self._available = True self._catch_errors = False + self._blacklist_query_params = {'client_secret', 'code_verifier'} @property def available(self): @@ -62,6 +65,15 @@ class BaseEndpoint(object): request.token_type_hint not in self.supported_token_types): raise UnsupportedTokenTypeError(request=request) + def _raise_on_bad_post_request(self, request): + """Raise if invalid POST request received + """ + if request.http_method.lower() == 'post': + query_params = CaseInsensitiveDict(urldecode(request.uri_query)) + for k in self._blacklist_query_params: + if k in query_params: + raise InvalidRequestError(request=request, + description='Query parameters not allowed') def catch_errors_and_unavailability(f): @functools.wraps(f) diff --git a/oauthlib/oauth2/rfc6749/endpoints/introspect.py b/oauthlib/oauth2/rfc6749/endpoints/introspect.py index 47022fd..547e7db 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/introspect.py +++ b/oauthlib/oauth2/rfc6749/endpoints/introspect.py @@ -117,6 +117,7 @@ class IntrospectEndpoint(BaseEndpoint): .. _`section 1.5`: http://tools.ietf.org/html/rfc6749#section-1.5 .. _`RFC6749`: http://tools.ietf.org/html/rfc6749 """ + self._raise_on_bad_post_request(request) self._raise_on_missing_token(request) self._raise_on_invalid_client(request) self._raise_on_unsupported_token(request) diff --git a/oauthlib/oauth2/rfc6749/endpoints/revocation.py b/oauthlib/oauth2/rfc6749/endpoints/revocation.py index fda3f30..1439491 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/revocation.py +++ b/oauthlib/oauth2/rfc6749/endpoints/revocation.py @@ -121,6 +121,7 @@ class RevocationEndpoint(BaseEndpoint): .. _`Section 4.1.2`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2 .. _`RFC6749`: https://tools.ietf.org/html/rfc6749 """ + self._raise_on_bad_post_request(request) self._raise_on_missing_token(request) self._raise_on_invalid_client(request) self._raise_on_unsupported_token(request) diff --git a/oauthlib/oauth2/rfc6749/endpoints/token.py b/oauthlib/oauth2/rfc6749/endpoints/token.py index 90fb16f..223e8d0 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/token.py +++ b/oauthlib/oauth2/rfc6749/endpoints/token.py @@ -91,7 +91,7 @@ class TokenEndpoint(BaseEndpoint): """Extract grant_type and route to the designated handler.""" request = Request( uri, http_method=http_method, body=body, headers=headers) - + self.validate_token_request(request) # 'scope' is an allowed Token Request param in both the "Resource Owner Password Credentials Grant" # and "Client Credentials Grant" flows # https://tools.ietf.org/html/rfc6749#section-4.3.2 @@ -115,3 +115,6 @@ class TokenEndpoint(BaseEndpoint): request.grant_type, grant_type_handler) return grant_type_handler.create_token_response( request, self.default_token_type) + + def validate_token_request(self, request): + self._raise_on_bad_post_request(request) |