Commit 0c6e3b2

mo <mo@mokhan.ca>
2018-10-13 17:44:29
respond to client with error when state appears malicious
main
1 parent 56c2101
Changed files (2)
app
controllers
oauths_controller.rb
spec
requests
oauth_spec.rb
app/controllers/oauths_controller.rb
@@ -36,6 +36,8 @@ class OauthsController < ApplicationController
       oauth[:response_type],
       oauth[:state]
     )
+  rescue StandardError
+    redirect_to client.redirect_url(error: :invalid_request)
   end
 
   private
spec/requests/oauth_spec.rb
@@ -81,6 +81,17 @@ RSpec.describe '/oauth' do
 
           specify { expect(response).to have_http_status(:bad_request) }
         end
+
+        context "when the state parameter looks malicious" do
+          let(:state) { "<script>alert('hi');</script>" }
+
+          before :each do
+            get "/oauth", params: { client_id: client.to_param, response_type: 'token', state: state, redirect_uri: client.redirect_uri }
+            post "/oauth"
+          end
+
+          specify { expect(response).to redirect_to(client.redirect_url(error: 'invalid_request')) }
+        end
       end
     end
   end