topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

safe handling of RawStrs

pull/1955/head
Stuart Heap 4 years ago
parent
d0d476f8ef
commit
d0d261a346
No known key found for this signature in database GPG Key ID: C753450AB379AA25
1 changed files with 23 additions and 16 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 39
      src/api/identity.rs

39
src/api/identity.rs
View File

@ -525,25 +525,30 @@ fn invalid_json(error_message: &str, exception: bool) -> JsonResult {
#[allow(non_snake_case)] #[allow(non_snake_case)]
fn prevalidate(domainHint: &RawStr, conn: DbConn) -> JsonResult { fn prevalidate(domainHint: &RawStr, conn: DbConn) -> JsonResult {
let empty_result = json!({}); let empty_result = json!({});
match domainHint.percent_decode() {
Ok(domain_hint) => {
let organization = Organization::find_by_identifier(&domain_hint.to_owned(), &conn);
match organization {
Some(organization) => {
if !organization.use_sso {
return invalid_json("SSO Not allowed for organization", false);
}
},
None => {
return invalid_json("Organization not found by identifier", false);
},
}
// TODO as_str shouldn't be used here if domainHint == "" {
let organization = Organization::find_by_identifier(domainHint.as_str(), &conn); return invalid_json("No Organization Identifier Provided", false);
match organization {
Some(organization) => {
if !organization.use_sso {
return invalid_json("SSO Not allowed for organization", false);
} }
Ok(Json(empty_result))
}, },
None => { Err(_) => {
return invalid_json("Organization not found by identifier", false); return invalid_json("Invalid domainHint received", false);
}, },
} }
if domainHint == "" {
return invalid_json("No Organization Identifier Provided", false);
}
Ok(Json(empty_result))
} }
use openidconnect::core::{ use openidconnect::core::{
@ -601,7 +606,9 @@ fn authorize(
state: &RawStr, state: &RawStr,
conn: DbConn, conn: DbConn,
) -> Redirect { ) -> Redirect {
let client = get_client_from_identifier(domain_hint.as_str(), &conn); let domain_hint_decoded = &domain_hint.percent_decode().expect("Invalid domain_hint").into_owned();
let state_decoded = &state.percent_decode().expect("Invalid state").into_owned();
let client = get_client_from_identifier(domain_hint_decoded, &conn);
let (mut authorize_url, _csrf_state, _nonce) = client let (mut authorize_url, _csrf_state, _nonce) = client
.authorize_url( .authorize_url(
@ -619,7 +626,7 @@ fn authorize(
let new_pairs = old_pairs.map(|pair| { let new_pairs = old_pairs.map(|pair| {
let (key, value) = pair; let (key, value) = pair;
if key == "state" { if key == "state" {
return format!("{}={}", key, state); return format!("{}={}", key, state_decoded);
} }
return format!("{}={}", key, value); return format!("{}={}", key, value);
}); });

Write Preview
Loading…
Cancel
Save