fix: add validation for callback URLs (#929)

2025-12-09 14:42:59 +03:00 · 2025-09-10 19:14:54 +02:00
parent d123d7f335
commit 6c9147483c
4 changed files with 60 additions and 16 deletions
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -31,8 +31,8 @@ type OidcClientWithAllowedGroupsCountDto struct {

 type OidcClientUpdateDto struct {
 	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
-	CallbackURLs             []string                 `json:"callbackURLs"`
-	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs"`
+	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url"`
+	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url"`
 	IsPublic                 bool                     `json:"isPublic"`
 	PkceEnabled              bool                     `json:"pkceEnabled"`
 	RequiresReauthentication bool                     `json:"requiresReauthentication"`
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -1,7 +1,9 @@
 package dto

 import (
+	"net/url"
 	"regexp"
+	"strings"
 	"time"

 	"github.com/pocket-id/pocket-id/backend/internal/utils"
@@ -23,32 +25,34 @@ func init() {
 	// Maximum allowed value for TTLs
 	const maxTTL = 31 * 24 * time.Hour

-	// Errors here are development-time ones
-	err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
+	if err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
 		return ValidateUsername(fl.Field().String())
-	})
-	if err != nil {
+	}); err != nil {
 		panic("Failed to register custom validation for username: " + err.Error())
 	}

-	err = v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
+	if err := v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
 		return ValidateClientID(fl.Field().String())
-	})
-	if err != nil {
+	}); err != nil {
 		panic("Failed to register custom validation for client_id: " + err.Error())
 	}

-	err = v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
+	if err := v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
 		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
 		if !ok {
 			return false
 		}
 		// Allow zero, which means the field wasn't set
-		return ttl.Duration == 0 || ttl.Duration > time.Second && ttl.Duration <= maxTTL
-	})
-	if err != nil {
+		return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
+	}); err != nil {
 		panic("Failed to register custom validation for ttl: " + err.Error())
 	}
+
+	if err := v.RegisterValidation("callback_url", func(fl validator.FieldLevel) bool {
+		return ValidateCallbackURL(fl.Field().String())
+	}); err != nil {
+		panic("Failed to register custom validation for callback_url: " + err.Error())
+	}
 }

 // ValidateUsername validates username inputs
@@ -60,3 +64,24 @@ func ValidateUsername(username string) bool {
 func ValidateClientID(clientID string) bool {
 	return validateClientIDRegex.MatchString(clientID)
 }
+
+// ValidateCallbackURL validates callback URLs with support for wildcards
+func ValidateCallbackURL(raw string) bool {
+	if raw == "*" {
+		return true
+	}
+
+	// Replace all '*' with 'x' to check if the rest is still a valid URI
+	test := strings.ReplaceAll(raw, "*", "x")
+
+	u, err := url.Parse(test)
+	if err != nil {
+		return false
+	}
+
+	if !u.IsAbs() {
+		return false
+	}
+
+	return true
+}