[KEYCLOAK-11576] - Properly handling redirect_uri parser errors

2020-02-20 18:46:35 -03:00 · 2020-02-20 18:46:35 -03:00 · 1c71eb93db
commit 1c71eb93db
parent 950eae090f
2 changed files with 29 additions and 11 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
@ -84,8 +84,18 @@ public class RedirectUtils {
        KeycloakUriInfo uriInfo = session.getContext().getUri();
        RealmModel realm = session.getContext().getRealm();

-        if (redirectUri != null)
-            redirectUri = normalizeUrl(redirectUri);
+        if (redirectUri != null) {
+            try {
+                URI uri = URI.create(redirectUri);
+                redirectUri = uri.normalize().toString();
+            } catch (IllegalArgumentException cause) {
+                logger.debug("Invalid redirect uri", cause);
+                return null;
+            } catch (Exception cause) {
+                logger.debug("Unexpected error when parsing redirect uri", cause);
+                return null;
+            }
+        }

        if (redirectUri == null) {
            if (!requireRedirectUri) {
@ -185,13 +195,4 @@ public class RedirectUtils {
        }
        return validRedirect;
    }
-
-    private static String normalizeUrl(String url) {
-        try {
-            URI uri = new URI(url);
-            return uri.normalize().toString();
-        } catch (URISyntaxException e) {
-            throw new IllegalArgumentException("Invalid URL syntax: " + e.getMessage());
-        }
-    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
@ -114,6 +114,23 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
        String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
    }

+    @Test
+    public void testInvalidRedirectUri() {
+        ClientManager.realm(adminClient.realm("test")).clientId("test-app").addRedirectUris(oauth.getRedirectUri());
+
+        oauth.redirectUri(oauth.getRedirectUri() + "%20test");
+        oauth.openLoginForm();
+
+        assertTrue(errorPage.isCurrent());
+        assertEquals("Invalid parameter: redirect_uri", errorPage.getError());
+
+        oauth.redirectUri("ZAP%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%0A");
+        oauth.openLoginForm();
+
+        assertTrue(errorPage.isCurrent());
+        assertEquals("Invalid parameter: redirect_uri", errorPage.getError());
+    }
+
    @Test
    public void authorizationRequestNoState() throws IOException {
        oauth.stateParamHardcoded(null);