diff options
author | Abhishek Patel <5524161+Abhishek8394@users.noreply.github.com> | 2019-05-12 20:35:00 -0700 |
---|---|---|
committer | Abhishek Patel <5524161+Abhishek8394@users.noreply.github.com> | 2019-05-14 00:37:59 -0700 |
commit | ee06f0f3349d7fd656d35a2eef40ee18fb74e303 (patch) | |
tree | 77c729a7be6b3f7d789d511caf9f67dd941d54dc | |
parent | 047ceccf48ea7ccd4ecc6b48a8ddb6dd4a14abd6 (diff) | |
download | oauthlib-ee06f0f3349d7fd656d35a2eef40ee18fb74e303.tar.gz |
Ban all query parameters on Intropspection, Token and Revocation endpopoint
4 files changed, 15 insertions, 26 deletions
diff --git a/oauthlib/oauth2/rfc6749/endpoints/base.py b/oauthlib/oauth2/rfc6749/endpoints/base.py index dc3204b..c99c22d 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/base.py +++ b/oauthlib/oauth2/rfc6749/endpoints/base.py @@ -19,14 +19,12 @@ from oauthlib.common import CaseInsensitiveDict, urldecode log = logging.getLogger(__name__) -BLACKLIST_QUERY_PARAMS = {'client_secret', 'code_verifier'} class BaseEndpoint(object): def __init__(self): self._available = True self._catch_errors = False - self._blacklist_query_params = BLACKLIST_QUERY_PARAMS @property def available(self): @@ -70,12 +68,10 @@ class BaseEndpoint(object): """Raise if invalid POST request received """ if request.http_method.lower() == 'post': - query_params = CaseInsensitiveDict(dict(urldecode(request.uri_query))) - for param in self._blacklist_query_params: - if param in query_params: - raise InvalidRequestError(request=request, - description=('"%s" is not allowed as a url query' +\ - ' parameter') % (param)) + query_params = request.uri_query or "" + if query_params: + raise InvalidRequestError(request=request, + description=('URL query parameters are not allowed')) def catch_errors_and_unavailability(f): @functools.wraps(f) diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py index 4a288ad..2b87032 100644 --- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py +++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py @@ -11,7 +11,6 @@ from oauthlib.oauth2 import (BackendApplicationServer, LegacyApplicationServer, MobileApplicationServer, RequestValidator, WebApplicationServer) from oauthlib.oauth2.rfc6749 import errors -from oauthlib.oauth2.rfc6749.endpoints.base import BLACKLIST_QUERY_PARAMS from ....unittest import TestCase @@ -442,25 +441,22 @@ class ErrorResponseTest(TestCase): def test_invalid_post_request(self): self.validator.authenticate_client.side_effect = self.set_client - for param in BLACKLIST_QUERY_PARAMS: + for param in ['token', 'secret', 'code', 'foo']: uri = 'https://i/b/token?' + urlencode([(param, 'secret')]) _, body, s = self.web.create_introspect_response(uri, body='grant_type=access_token&code=123') self.assertEqual(json.loads(body)['error'], 'invalid_request') - self.assertIn(param, json.loads(body)['error_description']) - self.assertIn('not allowed', json.loads(body)['error_description']) + self.assertIn('query parameters are not allowed', json.loads(body)['error_description']) self.assertEqual(s, 400) _, body, s = self.legacy.create_introspect_response(uri, body='grant_type=access_token&code=123') self.assertEqual(json.loads(body)['error'], 'invalid_request') - self.assertIn(param, json.loads(body)['error_description']) - self.assertIn('not allowed', json.loads(body)['error_description']) + self.assertIn('query parameters are not allowed', json.loads(body)['error_description']) self.assertEqual(s, 400) _, body, s = self.backend.create_introspect_response(uri, body='grant_type=access_token&code=123') self.assertEqual(json.loads(body)['error'], 'invalid_request') - self.assertIn(param, json.loads(body)['error_description']) - self.assertIn('not allowed', json.loads(body)['error_description']) + self.assertIn('query parameters are not allowed', json.loads(body)['error_description']) self.assertEqual(s, 400) diff --git a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py index 234a4ef..a34c970 100644 --- a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py +++ b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py @@ -7,7 +7,6 @@ from mock import MagicMock from oauthlib.common import urlencode from oauthlib.oauth2 import RequestValidator, IntrospectEndpoint -from oauthlib.oauth2.rfc6749.endpoints.base import BLACKLIST_QUERY_PARAMS from ....unittest import TestCase @@ -144,14 +143,14 @@ class IntrospectEndpointTest(TestCase): def test_introspect_bad_post_request(self): endpoint = IntrospectEndpoint(self.validator, supported_token_types=['access_token']) - for param in BLACKLIST_QUERY_PARAMS: + for param in ['token', 'secret', 'code', 'foo']: uri = 'http://some.endpoint?' + urlencode([(param, 'secret')]) body = urlencode([('token', 'foo'), ('token_type_hint', 'access_token')]) - h, b, s = endpoint.create_introspect_response(uri, - headers=self.headers, body=body) + h, b, s = endpoint.create_introspect_response( + uri, + headers=self.headers, body=body) self.assertEqual(h, self.resp_h) self.assertEqual(loads(b)['error'], 'invalid_request') - self.assertIn(param, loads(b)['error_description']) - self.assertIn('not allowed', loads(b)['error_description']) + self.assertIn('query parameters are not allowed', loads(b)['error_description']) self.assertEqual(s, 400) diff --git a/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py index e89c3bd..c73a1ef 100644 --- a/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py +++ b/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py @@ -7,7 +7,6 @@ from mock import MagicMock from oauthlib.common import urlencode from oauthlib.oauth2 import RequestValidator, RevocationEndpoint -from oauthlib.oauth2.rfc6749.endpoints.base import BLACKLIST_QUERY_PARAMS from ....unittest import TestCase @@ -125,7 +124,7 @@ class RevocationEndpointTest(TestCase): def test_revoke_bad_post_request(self): endpoint = RevocationEndpoint(self.validator, supported_token_types=['access_token']) - for param in BLACKLIST_QUERY_PARAMS: + for param in ['token', 'secret', 'code', 'foo']: uri = 'http://some.endpoint?' + urlencode([(param, 'secret')]) body = urlencode([('token', 'foo'), ('token_type_hint', 'access_token')]) @@ -133,6 +132,5 @@ class RevocationEndpointTest(TestCase): headers=self.headers, body=body) self.assertEqual(h, self.resp_h) self.assertEqual(loads(b)['error'], 'invalid_request') - self.assertIn(param, loads(b)['error_description']) - self.assertIn('not allowed', loads(b)['error_description']) + self.assertIn('query parameters are not allowed', loads(b)['error_description']) self.assertEqual(s, 400) |