Feature/72 #86
Feature/72 #86
Conversation
… works with implicit grant results.
…vironment file path.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…detail page tests for all token types.
| } catch(e) { | ||
| log.error("An error occurred while retrieving the claim description XML: " + e.stack); | ||
| res.status(500) | ||
| .render('error', { error: e }); |
Check warning
Code scanning / CodeQL
Information exposure through a stack trace Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 hour ago
To fix the information exposure via stack trace, we should ensure that information sent to the user contains only generic error details, while any detailed error logs (including stack traces) are retained only in server logs. Specifically:
- In file
api/server.js, at line 119, replaceres.render('error', { error: e });with a more generic response. - Log the complete error (including stack trace) server-side using
log.error, as is already done. - For the user response, send only a general message, such as
"An unexpected error occurred."or a structured error object containing a generic message and sanitized code, but never expose stack traces or internal exception details. - If standardized error codes or models are used (such as Swagger), ensure the structure matches expectations, but content remains generic.
No change to imports is required; use only standard logging.
| @@ -116,7 +116,11 @@ | ||
| } catch(e) { | ||
| log.error("An error occurred while retrieving the claim description XML: " + e.stack); | ||
| res.status(STATUS_500) | ||
| .render('error', { error: e }); | ||
| .json({ | ||
| status: false, | ||
| code: 'UNEXPECTED_ERROR', | ||
| message: 'An unexpected error occurred.' | ||
| }); | ||
| } | ||
| }); | ||
|
|
…rom token_detail or userinfo views. Userinfo has a backend processing option and works correctly with POST method.
…h call and validate the tokens received.
| axios({ | ||
| method: 'get', | ||
| url: Buffer.from(req.query.userinfo_endpoint, 'base64').toString('utf-8'), | ||
| headers: headers, | ||
| httpsAgent: new (require('https').Agent)({ rejectUnauthorized: true }) | ||
| }) |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 hour ago
To fix the SSRF issue, we need to ensure the outgoing request’s URL cannot be arbitrarily set by the user. The most robust standard fix is to restrict the target host/domain with an allow-list, so that only pre-approved endpoints can be used. For example, instead of using any URL provided by the user, the code should map a user-supplied identifier (such as an alias or region code) to a specific endpoint from a list of known safe URLs. If the architecture requires the full URL, then strict validation (e.g., regex, hostname checking, path disallowing local/internal services) must be implemented.
In this case, we should:
- Define an allow-list of permitted endpoints (e.g., in an object mapping of endpoint aliases to URLs).
- Accept from the client only either: (a) an alias key that selects the real endpoint, or (b) a base64 value and then check the decoded URL against the allow-list.
- If the value does not match any allowed endpoint, reject the request with an error status and message.
Steps (in file api/server.js):
- Add a mapping (object) of allowed endpoints (e.g., OIDC issuers’ userinfo URLs).
- In
userinfo_common, fetch either an alias or a URL, decode it if needed, and check that it matches the allowed endpoints. - If valid, proceed with the request. If not, respond with 400 (Bad Request) and error message.
- Optionally, log invalid attempts for audit.
- No additional imports are necessary.
|
|
||
| app.use(bodyParser.json()); | ||
| var corsOptions = { | ||
| origin: '*', |
Check warning
Code scanning / CodeQL
Permissive CORS configuration Medium
OAuth2 Implicit Grant + Test working.