From e428ba5657d4d5e237c3b8ad71bf482cb8edf6fc Mon Sep 17 00:00:00 2001
From: Denis Arnst <git@sapd.eu>
Date: Thu, 5 Feb 2026 20:31:07 +0100
Subject: [PATCH] OIDC: Fix CodeQL warnings

---
 server/Auth.js                              |  4 ++--
 server/auth/OidcSettingsSchema.js           |  2 +-
 test/server/auth/OidcSettingsSchema.test.js | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/server/Auth.js b/server/Auth.js
index d4f77ae75..522cf3c21 100644
--- a/server/Auth.js
+++ b/server/Auth.js
@@ -303,7 +303,7 @@ class Auth {
       const authorizationUrlResponse = this.oidcAuthStrategy.getAuthorizationUrl(req, isMobileFlow, callback)
 
       if (authorizationUrlResponse.error) {
-        return res.status(authorizationUrlResponse.status).send(authorizationUrlResponse.error)
+        return res.status(authorizationUrlResponse.status).json({ error: authorizationUrlResponse.error })
       }
 
       res.redirect(authorizationUrlResponse.authorizationUrl)
@@ -400,7 +400,7 @@ class Auth {
 
       const openIdIssuerConfig = await this.oidcAuthStrategy.getIssuerConfig(req.query.issuer)
       if (openIdIssuerConfig.error) {
-        return res.status(openIdIssuerConfig.status).send(openIdIssuerConfig.error)
+        return res.status(openIdIssuerConfig.status).json({ error: openIdIssuerConfig.error })
       }
 
       res.json(openIdIssuerConfig)
diff --git a/server/auth/OidcSettingsSchema.js b/server/auth/OidcSettingsSchema.js
index 4562e2064..dbf63e9ef 100644
--- a/server/auth/OidcSettingsSchema.js
+++ b/server/auth/OidcSettingsSchema.js
@@ -296,7 +296,7 @@ function validateSettings(values) {
 
     if (field.validate === 'uri') {
       if (Array.isArray(value)) {
-        const uriPattern = /^\w+:\/\/[\w.-]+(\/[\w./-]*)*$/i
+        const uriPattern = /^\w+:\/\/[\w.-]+(\/[\w./-]*)?$/i
         for (const uri of value) {
           if (!uriPattern.test(uri)) {
             errors.push(`${field.label}: Invalid URI "${uri}"`)
diff --git a/test/server/auth/OidcSettingsSchema.test.js b/test/server/auth/OidcSettingsSchema.test.js
index 951477e73..ecb7639dc 100644
--- a/test/server/auth/OidcSettingsSchema.test.js
+++ b/test/server/auth/OidcSettingsSchema.test.js
@@ -134,6 +134,24 @@ describe('OidcSettingsSchema - validateSettings', function () {
     expect(result.errors[0]).to.include('Invalid URI')
   })
 
+  it('should not hang on pathological URI input', function () {
+    this.timeout(1000)
+    const result = validateSettings({
+      ...validSettings,
+      authOpenIDMobileRedirectURIs: ['a://-/' + '/'.repeat(100) + '!']
+    })
+    expect(result.valid).to.be.false
+    expect(result.errors[0]).to.include('Invalid URI')
+  })
+
+  it('should accept URI with path segments', function () {
+    const result = validateSettings({
+      ...validSettings,
+      authOpenIDMobileRedirectURIs: ['https://example.com/path/to/callback']
+    })
+    expect(result.valid).to.be.true
+  })
+
   it('should reject unknown keys', function () {
     const result = validateSettings({
       ...validSettings,