-
-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix possible crash in validator when 'client' key is mentioned in request body #1252
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@realsuayip Thanks for the PR. I have two asks.
- Can you dig into why
request.client
was set to something else? This could be an interactive custom code from your project, a conflict with package, or a symptom of a bug else where in oauth_toolkit or oauth_lib. I'd like us to be sure of what we are fixing. - We need to include a test to help avoid regressions.
eda18ca
to
1c74222
Compare
Codecov Report
@@ Coverage Diff @@
## master #1252 +/- ##
=======================================
Coverage 97.29% 97.29%
=======================================
Files 31 31
Lines 1996 1997 +1
=======================================
+ Hits 1942 1943 +1
Misses 54 54
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
In In order to create this instance there are multiple parameters required, one of them being Essentially, The problem is, Solutions that come to my mind: 1 - The solution in current PR, which checks for There might other internal attributes which might be affected from this (in which case solution 2 would be better), I noticed So, what do you think we should do? |
Well it seems like the simple solution is to correct your typo.... However, you are right DOT could provide a better Developer Experience here. Given your case, you intended to pass a client_id, but instead passed client. It could very well be that you didn't want the user to be logged into whatever the fallback client_id. That would be an erroneous situation that if we let it happen might created more subtle and harder to diagnose problems for you or your front end teams depending on your IDp. I don't think falling back to a default as I believe this PR is proposing would be a good solution because of that. I could be misinterpreting the flow here though. In theory the inputs to these endpoints should be restricted to those in the specification. Along that line of thinking any extraneous input could be considered an error, especially so if it conflicts with an internally reserved property on the request like in this case. I think it would be better to validate the input and raise an error if we find a param that conflicts with a reserved property like client. Alternatively we could silently ignore unknown properties as you proposed, but that could also lead to unexpected results for our users... although another lay of validation may handle that.... @realsuayip do validation errors seems like a reasonable course of action to you, or you do you have other thoughts based on my feedback? |
Yes, I think it's totally acceptable.
Does that mean we would only raise validation errors in case there is a conflict? If so, thats a bit odd. Maybe we should consider raising errors if given key is not valid.
Yes, besides, my main concern is exposing an endpoint where you can consistently crash the server. Some guy might just spam this endpoint with invalid requests just to deplete Sentry quotas 😁 |
I feel there are valid reasons to pass other arguments like ?utm_* tags for marketing and activity contribution, or a GA session id from a cookie to use GA measurement protocol server side to track a token issue event and associate it with a users session. Or maybe transactions ids to associate the span on the token issuance with a user session for debugging. For that reason I would lean toward of conservative of approach of only dis-allowing things we know will cause errors and conflict with our code.
That sounds like a reason to fix your typo. ;) |
To be clear, any Django application using |
That was meant as a joke. The rest of the feedback stands. I'm not going to approve a solution that overwrites the client property in this case. We should validate the input property that is conflicting and only that property and we should allow other query parameters for use cases such as analytics attribution and span tracking for telemetry. |
@dopry @realsuayip Where do we stand with this? Should I close it or @realsuayip will you be making the changes suggested by @dopry? |
@n2ygk I think we should leave it open or convert it an issue if @realsuayip doesn't have the bandwidth. It is after all a bug we need to address. |
Description of the Change
When sending a request to
oauth2_provider.views.base.TokenView
, ifclient
is sent via request body (typo ofclient_id
), the server crashes with:'str' object has no attribute 'is_usable'
(str object being
client
in request body)I'm not sure why
request.client
is set to this attribute; I'm guessing request body is added to oauth request as attrs.I changed the check so that application would be fetched if the type does not match.
Checklist
CHANGELOG.md
updated (only for user relevant changes)AUTHORS