Merge pull request #638 from amCap1712/code-challenge-invalid

rfc7636: validate code challenge format
lepture · Apr 8, 2024 · dc3d77d · dc3d77d
2 parents b9edea5 + 9af7d77
commit dc3d77d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 8 deletions.
diff --git a/authlib/oauth2/rfc7636/challenge.py b/authlib/oauth2/rfc7636/challenge.py
@@ -9,6 +9,7 @@
 
 
 CODE_VERIFIER_PATTERN = re.compile(r'^[a-zA-Z0-9\-._~]{43,128}$')
+CODE_CHALLENGE_PATTERN = re.compile(r'^[a-zA-Z0-9\-._~]{43,128}$')
 
 
 def create_s256_code_challenge(code_verifier):
@@ -76,6 +77,9 @@ def validate_code_challenge(self, grant):
         if not challenge:
             raise InvalidRequestError('Missing "code_challenge"')
 
+        if not CODE_CHALLENGE_PATTERN.match(challenge):
+            raise InvalidRequestError('Invalid "code_challenge"')
+
         if method and method not in self.SUPPORTED_CODE_CHALLENGE_METHOD:
             raise InvalidRequestError('Unsupported "code_challenge_method"')
 

diff --git a/tests/flask/test_oauth2/test_code_challenge.py b/tests/flask/test_oauth2/test_code_challenge.py
@@ -65,18 +65,23 @@ def test_missing_code_challenge(self):
 
     def test_has_code_challenge(self):
         self.prepare_data()
-        rv = self.client.get(self.authorize_url + '&code_challenge=abc')
+        rv = self.client.get(self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s')
         self.assertEqual(rv.data, b'ok')
 
+    def test_invalid_code_challenge(self):
+        self.prepare_data()
+        rv = self.client.get(self.authorize_url + '&code_challenge=abc&code_challenge_method=plain')
+        self.assertIn(b'Invalid', rv.data)
+
     def test_invalid_code_challenge_method(self):
         self.prepare_data()
-        suffix = '&code_challenge=abc&code_challenge_method=invalid'
+        suffix = '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s&code_challenge_method=invalid'
         rv = self.client.get(self.authorize_url + suffix)
         self.assertIn(b'Unsupported', rv.data)
 
     def test_supported_code_challenge_method(self):
         self.prepare_data()
-        suffix = '&code_challenge=abc&code_challenge_method=plain'
+        suffix = '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s&code_challenge_method=plain'
         rv = self.client.get(self.authorize_url + suffix)
         self.assertEqual(rv.data, b'ok')
 
@@ -101,7 +106,7 @@ def test_trusted_client_without_code_challenge(self):
 
     def test_missing_code_verifier(self):
         self.prepare_data()
-        url = self.authorize_url + '&code_challenge=foo'
+        url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s'
         rv = self.client.post(url, data={'user_id': '1'})
         self.assertIn('code=', rv.location)
 
@@ -117,7 +122,7 @@ def test_missing_code_verifier(self):
 
     def test_trusted_client_missing_code_verifier(self):
         self.prepare_data('client_secret_basic')
-        url = self.authorize_url + '&code_challenge=foo'
+        url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s'
         rv = self.client.post(url, data={'user_id': '1'})
         self.assertIn('code=', rv.location)
 
@@ -133,7 +138,7 @@ def test_trusted_client_missing_code_verifier(self):
 
     def test_plain_code_challenge_invalid(self):
         self.prepare_data()
-        url = self.authorize_url + '&code_challenge=foo'
+        url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s'
         rv = self.client.post(url, data={'user_id': '1'})
         self.assertIn('code=', rv.location)
 
@@ -150,7 +155,7 @@ def test_plain_code_challenge_invalid(self):
 
     def test_plain_code_challenge_failed(self):
         self.prepare_data()
-        url = self.authorize_url + '&code_challenge=foo'
+        url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s'
         rv = self.client.post(url, data={'user_id': '1'})
         self.assertIn('code=', rv.location)
 
@@ -206,7 +211,7 @@ def test_s256_code_challenge_success(self):
 
     def test_not_implemented_code_challenge_method(self):
         self.prepare_data()
-        url = self.authorize_url + '&code_challenge=foo'
+        url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s'
         url += '&code_challenge_method=S128'
 
         rv = self.client.post(url, data={'user_id': '1'})