fix: tos_uri validation

hperl · hperl · commit d0e2a29d1300 · 2025-02-14T14:06:52.000+01:00
diff --git a/client/validator.go b/client/validator.go
@@ -88,6 +88,18 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
 		}
 	}
 
+	if c.TermsOfServiceURI != "" {
+		u, err := url.ParseRequestURI(c.TermsOfServiceURI)
+		if err != nil {
+			return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Field tos_uri must be a valid URI."))
+		}
+
+		if u.Scheme != "https" && u.Scheme != "http" {
+			return errorsx.WithStack(ErrInvalidClientMetadata.WithHintf("tos_uri %s must use https:// or http:// as HTTP scheme.", c.TermsOfServiceURI))
+		}
+
+	}
+
 	if len(c.Secret) > 0 && len(c.Secret) < 6 {
 		return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Field client_secret must contain a secret that is at least 6 characters long."))
 	}
diff --git a/client/validator_test.go b/client/validator_test.go
@@ -37,8 +37,6 @@ func TestValidate(t *testing.T) {
 	reg := internal.NewRegistryMemory(t, c, &contextx.Static{C: c.Source(ctx)})
 	v := NewValidator(reg)
 
-	testCtx := context.TODO()
-
 	dec := json.NewDecoder(strings.NewReader(validJWKS))
 	dec.DisallowUnknownFields()
 	var goodJWKS jose.JSONWebKeySet
@@ -129,6 +127,10 @@ func TestValidate(t *testing.T) {
 				assert.Equal(t, []string{"https://foo/"}, []string(c.PostLogoutRedirectURIs))
 			},
 		},
+		{
+			in:        &Client{ID: "foo", TermsOfServiceURI: "javascript:alert('XSS')"},
+			assertErr: assert.Error,
+		},
 		{
 			in: &Client{ID: "foo"},
 			check: func(t *testing.T, c *Client) {
@@ -163,7 +165,7 @@ func TestValidate(t *testing.T) {
 					return v
 				}
 			}
-			err := tc.v(t).Validate(testCtx, tc.in)
+			err := tc.v(t).Validate(ctx, tc.in)
 			if tc.assertErr != nil {
 				tc.assertErr(t, err)
 			} else {
@@ -179,7 +181,7 @@ type fakeHTTP struct {
 	c *http.Client
 }
 
-func (f *fakeHTTP) HTTPClient(ctx context.Context, opts ...httpx.ResilientOptions) *retryablehttp.Client {
+func (f *fakeHTTP) HTTPClient(_ context.Context, opts ...httpx.ResilientOptions) *retryablehttp.Client {
 	c := httpx.NewResilientClient(opts...)
 	c.HTTPClient = f.c
 	return c
@@ -190,7 +192,7 @@ func TestValidateSectorIdentifierURL(t *testing.T) {
 	var payload string
 
 	var h http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) {
-		w.Write([]byte(payload))
+		_, _ = w.Write([]byte(payload))
 	}
 	ts := httptest.NewTLSServer(h)
 	defer ts.Close()

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,18 @@ func (v Validator) Validate(ctx context.Context, c Client) error {`
`88`	`88`	`}`
`89`	`89`	`}`
`90`	`90`
	`91`	`+ if c.TermsOfServiceURI != "" {`
	`92`	`+ u, err := url.ParseRequestURI(c.TermsOfServiceURI)`
	`93`	`+ if err != nil {`
	`94`	`+ return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Field tos_uri must be a valid URI."))`
	`95`	`+ }`
	`96`	`+`
	`97`	`+ if u.Scheme != "https" && u.Scheme != "http" {`
	`98`	`+ return errorsx.WithStack(ErrInvalidClientMetadata.WithHintf("tos_uri %s must use https:// or http:// as HTTP scheme.", c.TermsOfServiceURI))`
	`99`	`+ }`
	`100`	`+`
	`101`	`+ }`
	`102`	`+`
`91`	`103`	`if len(c.Secret) > 0 && len(c.Secret) < 6 {`
`92`	`104`	`return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Field client_secret must contain a secret that is at least 6 characters long."))`
`93`	`105`	`}`