IEEE.org     |     IEEE Xplore Digital Library     |     IEEE Standards     |     IEEE Spectrum     |     More Sites

Verified Commit c84c507e authored by Emi Simpson's avatar Emi Simpson
Browse files

[api] Validate the callback url's protocol

parent 29374523
Pipeline #1116 passed with stage
in 49 seconds
......@@ -60,6 +60,14 @@ def _after_running_update_session(func: Callable[P, Tuple[Mapping[str, Any], T]]
return return_val
return wrapped
def _validate_url_proto(u: Url) -> bool:
"""
A quick heuristic for determining if a URL starts with a valid protocol
Returns `True` if it looks like `u` might have a valid protocol, or `False` otherwise
"""
return u.startswith('http')
NULLIFY_SESSION: Mapping[str, None] = {'callback': None}
@dataclass(frozen=True)
class AuthModule:
......@@ -230,6 +238,9 @@ class AuthModule:
else:
callback = Url(_callback)
if not _validate_url_proto(callback):
return ({}, R(HTTPStatus.BAD_REQUEST, 'Callback should start with a protocol like https://'))
# Check to make sure direct auth is allowed
if self.mock_saml_auth:
return ({'callback': callback}, R.redirect(Url('/auth/login')))
......@@ -273,6 +284,9 @@ class AuthModule:
else:
callback = Url(_either_callback)
if not _validate_url_proto(callback):
return ({}, R(HTTPStatus.BAD_REQUEST, 'Callback should start with a protocol like https://'))
if isinstance(auth_info, AuthAttrs) and auth_info is not None:
# The user has already completed SAML authentication
return queries.Transaction(queries.BoundQuery(
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment