node-openid icon indicating copy to clipboard operation
node-openid copied to clipboard
verified publisher icon havard

VerifyAssertion does not fail when return URL with different parameter is provided.

Open OndrishD opened this issue 6 years ago • 3 comments

There is a bug on line 994 in openid.js

The foreach iterator for query parameters is checking for different values on receivedReturnUrl and assertionUrl which is the same URL as receivedReturnUrl was constructed from assertionUrl. Therefore it always evaluate to FALSE and fails to detect if query parameters of return url are mismatched.

for (var param in receivedReturnUrl.query) {
    // THIS IS ALWAYS FALSE
    if (hasOwnProperty(receivedReturnUrl.query, param) && receivedReturnUrl.query[param] !== assertionUrl.query[param]) {
      return false;
    }
  }

I think the intended code was meant to be as follows:

for (var param in originalReturnUrl.query) {
    if (hasOwnProperty(receivedReturnUrl.query, param) && receivedReturnUrl.query[param] !== originalReturnUrl.query[param]) {
      return false;
    }
  }

OndrishD avatar Jan 11 '20 18:01 OndrishD

Yes, it seems you are correct. Would you care to make a PR? I'd be happy to review and pull.

havard avatar Jan 26 '20 16:01 havard

Hello! im still having this issue today. Any chance I can open a PR and get this through?

RomenPoirierTaksev avatar Jul 09 '24 19:07 RomenPoirierTaksev

Sure!

havard avatar Jul 12 '24 12:07 havard