mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix: hide internal server error details from users 

Signed-off-by: Ivan Zvyagintsev <ivan.zvyagintsev@flant.com>
pull/4457/head
Ivan Zvyagintsev 2 months ago
parent
debcb5c8f9
commit
b0a6ee9045
1 changed files with 29 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 33
      server/deviceflowhandlers_test.go

33
server/deviceflowhandlers_test.go
Unescape View File

@ -222,8 +222,9 @@ func TestDeviceCallback(t *testing.T) {
code: "somecode",
error: "Error Condition",
},
expectedResponseCode: http.StatusBadRequest,
expectedServerResponse: "Error Condition: \n",
expectedResponseCode: http.StatusBadRequest,
// Note: Error details should NOT be displayed to user anymore.
// Instead, a safe generic message is shown.
},
{
testName: "Expired Auth Code",
@ -352,8 +353,9 @@ func TestDeviceCallback(t *testing.T) {
code: "somecode",
error: "<script>console.log(window);</script>",
},
expectedResponseCode: http.StatusBadRequest,
expectedServerResponse: "&lt;script&gt;console.log(window);&lt;/script&gt;: \n",
expectedResponseCode: http.StatusBadRequest,
// Note: XSS data should NOT be displayed to user anymore.
// Instead, a safe generic message is shown.
},
}
for _, tc := range tests {
@ -413,6 +415,29 @@ func TestDeviceCallback(t *testing.T) {
t.Errorf("%s: Unexpected Response. Expected %q got %q", tc.testName, tc.expectedServerResponse, result)
}
}
// Special check for error message safety tests
if tc.testName == "Prevent cross-site scripting" || tc.testName == "Error During Authorization" {
result, _ := io.ReadAll(rr.Body)
responseBody := string(result)
// Error details should NOT be present in the response (for security)
if tc.testName == "Prevent cross-site scripting" {
if strings.Contains(responseBody, "<script>") || strings.Contains(responseBody, "console.log(window)") {
t.Errorf("%s: XSS script found in response, but should be blocked: %q", tc.testName, responseBody)
}
}
if tc.testName == "Error During Authorization" {
if strings.Contains(responseBody, "Error Condition") {
t.Errorf("%s: Error details found in response, but should be hidden: %q", tc.testName, responseBody)
}
}
// Safe message should be present
if !strings.Contains(responseBody, "Authorization failed. Please try again.") {
t.Errorf("%s: Safe error message not found in response: %q", tc.testName, responseBody)
}
}
})
}
}

Write Preview
Loading…
Cancel
Save