fix: throw 401 if not a valid path

nordeck · Oct 12, 2024 · d8b6945 · d8b6945
1 parent 61a7817
commit d8b6945
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/adapter.ts b/adapter.ts
@@ -239,7 +239,10 @@ function oidcRedirectForCode(req: Request, prompt: string): Response {
   if (!host) throw ("missing host");
   if (!path) throw ("missing path");
 
-  const bundle = `path=${encodeURIComponent(path)}` +
+  const sanitizedPath = path.replace(/\/+/g, "/");
+  if (!sanitizedPath.match("^/")) throw ("invalid path");
+
+  const bundle = `path=${encodeURIComponent(sanitizedPath)}` +
     `&search=${encodeURIComponent(search)}` +
     `&hash=${encodeURIComponent(hash)}`;
   const target = `${KEYCLOAK_ORIGIN}/realms/${KEYCLOAK_REALM}` +
@@ -251,6 +254,7 @@ function oidcRedirectForCode(req: Request, prompt: string): Response {
   if (DEBUG) console.log(`oidcRedirectForCode prompt: ${prompt}`);
   if (DEBUG) console.log(`oidcRedirectForCode host: ${host}`);
   if (DEBUG) console.log(`oidcRedirectForCode path: ${path}`);
+  if (DEBUG) console.log(`oidcRedirectForCode sanitized: ${sanitizedPath}`);
   if (DEBUG) console.log(`oidcRedirectForCode search: ${search}`);
   if (DEBUG) console.log(`oidcRedirectForCode hash: ${hash}`);
   if (DEBUG) console.log(`oidcRedirectForCode bundle: ${bundle}`);
@@ -264,15 +268,23 @@ function oidcRedirectForCode(req: Request, prompt: string): Response {
 // Don't ask for a credential if auth fails
 // -----------------------------------------------------------------------------
 function redirect(req: Request): Response {
-  return oidcRedirectForCode(req, "none");
+  try {
+    return oidcRedirectForCode(req, "none");
+  } catch {
+    return unauthorized();
+  }
 }
 
 // -----------------------------------------------------------------------------
 // Redirect to Keycloak auth service to get a short-term authorization code.
 // Ask for a credential if auth fails
 // -----------------------------------------------------------------------------
 function auth(req: Request): Response {
-  return oidcRedirectForCode(req, "login");
+  try {
+    return oidcRedirectForCode(req, "login");
+  } catch {
+    return unauthorized();
+  }
 }
 
 // -----------------------------------------------------------------------------