spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard
verified publisher icon spring-projects

Consider rejecting client authentication where clientId has non-printable ASCII characters

Open scottcarter87 opened this issue 3 years ago • 0 comments

Describe the bug A request to the token endpoint with a client ID containing non printable ASCII characters such as 0x00 (null), 0x0a (line feed), etc. This results in the AuthenticationProviders passing this value to the repo layer where Postgres (and potentially other data sources) will throw a DataIntegrityViolationException when trying to run a select query that contains a clientId like this.

To Reproduce Send a post request to the OAuth2 token endpoint with the client ID set to "\0x00" or any other non-printable ASCII character with or without other printable ASCII characters. The request will be passed through to the repo layer and will throw an error.

Expected behavior Expected behavior is that Spring would reject any clientId containing non-printable ASCII characters as either a bad request or unauthorized without ever attempting to lookup the RegisteredClient in the database.

Sample

    @DataProvider
    private Object[][] invalidClientIds() {
        return new Object[][] {
                // Null in hex
                { "\0x00" },

                // Line feed in hex
                { "\0x0a" },

                // Escape in hex
                { "\0x1b" },

                // Mix of printable and non-printable ASCII characters (escape character + 'a')
                { "\0x1b\0x61" },
        };
    }

    @Test(dataProvider = "invalidClientIds")
    public void postForAccessTokenWithNonPrintableAsciiCharacters(final String clientId) throws Exception {
        getMockMvc().perform(post(OAuth2.TOKEN_ROOT)
                        .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE)
                        .param(OAuth2Constants.Parameters.GRANT_TYPE, AuthorizedGrantType.CLIENT_CREDENTIALS.getValue())
                        .param(OAuth2Constants.Parameters.CLIENT_ID, clientId)
                        .param(OAuth2Constants.Parameters.CLIENT_SECRET, ServiceAccount.CLIENT_SECRET))
                .andExpect(status().isUnauthorized());
    }

    @Test(dataProvider = "invalidClientIds")
    public void postForAccessTokenBasicAuthWithNonPrintableAsciiCharacters(final String clientId) throws Exception {
        getMockMvc().perform(post(OAuth2.TOKEN_ROOT)
                        .with(httpBasic(clientId, OAuthClientDetailsTestData.ServiceAccount.CLIENT_SECRET))
                        .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE)
                        .param(OAuth2Constants.Parameters.GRANT_TYPE, AuthorizedGrantType.CLIENT_CREDENTIALS.getValue()))
                .andExpect(status().isUnauthorized());
    }

scottcarter87 avatar Sep 12 '22 17:09 scottcarter87