groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-03-04 23:19:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

OIDC: Fix CodeQL warnings

Browse source
This commit is contained in:
Denis Arnst 2026-02-05 20:31:07 +01:00
parent c2a7615319
commit e428ba5657
No known key found for this signature in database
GPG key ID: D5866C58940197BF
3 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/Auth.js
View file

@ -303,7 +303,7 @@ class Auth {
const authorizationUrlResponse = this.oidcAuthStrategy.getAuthorizationUrl(req, isMobileFlow, callback) const authorizationUrlResponse = this.oidcAuthStrategy.getAuthorizationUrl(req, isMobileFlow, callback)
if (authorizationUrlResponse.error) { if (authorizationUrlResponse.error) {
return res.status(authorizationUrlResponse.status).send(authorizationUrlResponse.error) return res.status(authorizationUrlResponse.status).json({ error: authorizationUrlResponse.error })
} }
res.redirect(authorizationUrlResponse.authorizationUrl) res.redirect(authorizationUrlResponse.authorizationUrl)
@ -400,7 +400,7 @@ class Auth {
const openIdIssuerConfig = await this.oidcAuthStrategy.getIssuerConfig(req.query.issuer) const openIdIssuerConfig = await this.oidcAuthStrategy.getIssuerConfig(req.query.issuer)
if (openIdIssuerConfig.error) { if (openIdIssuerConfig.error) {
return res.status(openIdIssuerConfig.status).send(openIdIssuerConfig.error) return res.status(openIdIssuerConfig.status).json({ error: openIdIssuerConfig.error })
} }
res.json(openIdIssuerConfig) res.json(openIdIssuerConfig)

2
server/auth/OidcSettingsSchema.js
View file

@ -296,7 +296,7 @@ function validateSettings(values) {
if (field.validate === 'uri') { if (field.validate === 'uri') {
if (Array.isArray(value)) { if (Array.isArray(value)) {
const uriPattern = /^\w+:\/\/[\w.-]+(\/[\w./-]*)*$/i const uriPattern = /^\w+:\/\/[\w.-]+(\/[\w./-]*)?$/i
for (const uri of value) { for (const uri of value) {
if (!uriPattern.test(uri)) { if (!uriPattern.test(uri)) {
errors.push(`${field.label}: Invalid URI "${uri}"`) errors.push(`${field.label}: Invalid URI "${uri}"`)

18
test/server/auth/OidcSettingsSchema.test.js
View file

@ -134,6 +134,24 @@ describe('OidcSettingsSchema - validateSettings', function () {
expect(result.errors[0]).to.include('Invalid URI') expect(result.errors[0]).to.include('Invalid URI')
}) })
it('should not hang on pathological URI input', function () {
this.timeout(1000)
const result = validateSettings({
...validSettings,
authOpenIDMobileRedirectURIs: ['a://-/' + '/'.repeat(100) + '!']
})
expect(result.valid).to.be.false
expect(result.errors[0]).to.include('Invalid URI')
})
it('should accept URI with path segments', function () {
const result = validateSettings({
...validSettings,
authOpenIDMobileRedirectURIs: ['https://example.com/path/to/callback']
})
expect(result.valid).to.be.true
})
it('should reject unknown keys', function () { it('should reject unknown keys', function () {
const result = validateSettings({ const result = validateSettings({
...validSettings, ...validSettings,