OIDC: Fix CodeQL warnings

2026-03-01 13:39:41 +00:00 · 2026-02-05 20:31:07 +01:00 · 2026-02-05 20:31:07 +01:00 · e428ba5657
commit e428ba5657
parent c2a7615319
3 changed files with 21 additions and 3 deletions
--- a/server/Auth.js
+++ b/server/Auth.js
@ -303,7 +303,7 @@ class Auth {
      const authorizationUrlResponse = this.oidcAuthStrategy.getAuthorizationUrl(req, isMobileFlow, callback)

      if (authorizationUrlResponse.error) {
-        return res.status(authorizationUrlResponse.status).send(authorizationUrlResponse.error)
+        return res.status(authorizationUrlResponse.status).json({ error: authorizationUrlResponse.error })
      }

      res.redirect(authorizationUrlResponse.authorizationUrl)
@ -400,7 +400,7 @@ class Auth {

      const openIdIssuerConfig = await this.oidcAuthStrategy.getIssuerConfig(req.query.issuer)
      if (openIdIssuerConfig.error) {
-        return res.status(openIdIssuerConfig.status).send(openIdIssuerConfig.error)
+        return res.status(openIdIssuerConfig.status).json({ error: openIdIssuerConfig.error })
      }

      res.json(openIdIssuerConfig)
--- a/server/auth/OidcSettingsSchema.js
+++ b/server/auth/OidcSettingsSchema.js
@ -296,7 +296,7 @@ function validateSettings(values) {

    if (field.validate === 'uri') {
      if (Array.isArray(value)) {
-        const uriPattern = /^\w+:\/\/[\w.-]+(\/[\w./-]*)*$/i
+        const uriPattern = /^\w+:\/\/[\w.-]+(\/[\w./-]*)?$/i
        for (const uri of value) {
          if (!uriPattern.test(uri)) {
            errors.push(`${field.label}: Invalid URI "${uri}"`)
--- a/test/server/auth/OidcSettingsSchema.test.js
+++ b/test/server/auth/OidcSettingsSchema.test.js
@ -134,6 +134,24 @@ describe('OidcSettingsSchema - validateSettings', function () {
    expect(result.errors[0]).to.include('Invalid URI')
  })

+  it('should not hang on pathological URI input', function () {
+    this.timeout(1000)
+    const result = validateSettings({
+      ...validSettings,
+      authOpenIDMobileRedirectURIs: ['a://-/' + '/'.repeat(100) + '!']
+    })
+    expect(result.valid).to.be.false
+    expect(result.errors[0]).to.include('Invalid URI')
+  })
+
+  it('should accept URI with path segments', function () {
+    const result = validateSettings({
+      ...validSettings,
+      authOpenIDMobileRedirectURIs: ['https://example.com/path/to/callback']
+    })
+    expect(result.valid).to.be.true
+  })
+
  it('should reject unknown keys', function () {
    const result = validateSettings({
      ...validSettings,