notfire/Iceshrimp.NET
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Validate scopes on /api/v1/apps

Browse source
This commit is contained in:
Laura Hausmann 2024-01-30 19:50:00 +01:00
parent a734583b15
commit 8b7c227619
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
2 changed files with 28 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Iceshrimp.Backend/Controllers/Mastodon/MastodonAuthController.cs
View file

@ -45,6 +45,18 @@ public class MastodonAuthController(DatabaseContext db) : Controller {
if (request.RedirectUris.Any(p => !MastodonOauthHelpers.ValidateRedirectUri(p))) if (request.RedirectUris.Any(p => !MastodonOauthHelpers.ValidateRedirectUri(p)))
throw GracefulException.BadRequest("redirect_uris parameter contains invalid protocols"); throw GracefulException.BadRequest("redirect_uris parameter contains invalid protocols");
if (!MastodonOauthHelpers.ValidateScopes(request.Scopes))
throw GracefulException.BadRequest("Invalid scopes parameter");
if (request.Website != null)
try {
var uri = new Uri(request.Website);
if (!uri.IsAbsoluteUri || uri.Scheme is "http" or "https") throw new Exception();
}
catch {
throw GracefulException.BadRequest("Invalid website URL");
}
var app = new OauthApp { var app = new OauthApp {
Id = IdHelpers.GenerateSlowflakeId(), Id = IdHelpers.GenerateSlowflakeId(),
ClientId = CryptographyHelpers.GenerateRandomString(32), ClientId = CryptographyHelpers.GenerateRandomString(32),

19
Iceshrimp.Backend/Core/Helpers/MastodonOauthHelpers.cs
View file

@ -40,6 +40,15 @@ public static class MastodonOauthHelpers {
"write:mutes" "write:mutes"
]; ];
private static readonly List<string> ScopeGroups = [
"read",
"write",
"follow",
"push"
];
private static readonly List<string> ForbiddenSchemes = ["javascript", "file", "data", "mailto", "tel"];
public static IEnumerable<string> ExpandScopes(IEnumerable<string> scopes) { public static IEnumerable<string> ExpandScopes(IEnumerable<string> scopes) {
var res = new List<string>(); var res = new List<string>();
foreach (var scope in scopes) { foreach (var scope in scopes) {
@ -49,15 +58,19 @@ public static class MastodonOauthHelpers {
res.AddRange(WriteScopes); res.AddRange(WriteScopes);
if (scope == "follow") if (scope == "follow")
res.AddRange(FollowScopes); res.AddRange(FollowScopes);
else { else
res.Add(scope); res.Add(scope);
}
} }
return res.Distinct(); return res.Distinct();
} }
private static readonly List<string> ForbiddenSchemes = ["javascript", "file", "data", "mailto", "tel"]; public static bool ValidateScopes(List<string> scopes) {
if (scopes.Distinct().Count() < scopes.Count) return false;
var validScopes = ScopeGroups.Concat(ReadScopes).Concat(WriteScopes).Concat(FollowScopes);
return !scopes.Except(validScopes).Any();
}
public static bool ValidateRedirectUri(string uri) { public static bool ValidateRedirectUri(string uri) {
if (uri == "urn:ietf:wg:oauth:2.0:oob") return true; if (uri == "urn:ietf:wg:oauth:2.0:oob") return true;