Using the (unimplemented) claims= parameter in an OIDC authorize request triggers XSS detection with authentication=Choice
Affected version
Version: 2.16.2
Summary
- Configure Choice as auth module (one Demo choice)
- Enable OIDC issuer
- Send an OIDC request with a "claims" parameter:
- A scary log is generated, but no other side effect (unless a custom URL is set in Choice module, maybe)*
Logs
[error] XSS attack detected (param: URI | value: /oauth2/authorize?response_type=code&scope=openid&client_id=testrp&state=5azlOvBCuQcmlu_TeCGL317RuSk&redirect_uri=http%3A%2F%2Frp.example.com%2Foauth2callback&nonce=DkqDQChJVDWiLtyDknOYkRyC4xEDhlRMq_wEGtB8twU&claims={%22mail%22:%20null})
Possible fixes
Relevant code from Lib::Choice
# Default URL
$req->data->{cspFormAction} ||= {};
if (
defined $url
and not $self->checkXSSAttack( 'URI',
$req->env->{'REQUEST_URI'} )
and $url =~
q%^(https?://)?[^\s/.?#$].[^\s]+$% # URL must be well formatted
)
{
my $csp_uri = $self->cspGetHost($url);
$req->data->{cspFormAction}->{$csp_uri} = 1;
}
There is no point in checking REQUEST_URI for potential XSS because REQUEST_URI is not used in Choice anymore.
In fact, I'm the one who accidentally removed REQUEST_URI from form destinations (see cd97d3b9).
There hasn't been any complains because pdata already saves REQUEST_URI.
@guimard: I need some advice here on what to do
- Fix my mistake and introduce back the following line:
$url .= $req->env->{'REQUEST_URI'};
which will break OIDC requests that use the "claims" parameter ?
- Or just remove the useless XSS check ?