Skip to content

Enforce literal charactors in callback uri validation with a configuration #2900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 26, 2025
Merged

Enforce literal charactors in callback uri validation with a configuration #2900

merged 4 commits into from
Sep 26, 2025

Conversation

ashanthamara
Copy link
Contributor

Proposed changes in this pull request

This pull request updates the callback URI validation logic in the OAuth2 authorization request validator. The main change is an improvement to how regular expressions are handled to ensure more accurate matching of callback URIs.

Callback URI validation improvements:

  • The code now escapes., ?, + in the regular expression only when they are followed by a letter or digit (e.g., .com, .org), which prevents unintended matches and avoids interfering with wildcard patterns like .* or .+ or .{n}. when the particular configuration is enabled
  • The validation logic now checks for the presence of a regular expression: if none is provided, it falls back to a direct string comparison between the registered and provided callback URIs.
  • Also adding a diagnostic log to identify the failing callback validations when the literal charactors are enforced, before enforcing the new behavior with the configuration

Changes derived from

Depends on

@codecov Codecov
Copy link

codecov bot commented Sep 9, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 57.81%. Comparing base (34cf007) to head (62a05d6).
⚠️ Report is 24 commits behind head on master.

Files with missing lines Patch % Lines
...lidators/AbstractResponseTypeRequestValidator.java 90.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #2900      +/-   ##
============================================
+ Coverage     56.08%   57.81%   +1.72%     
+ Complexity     9354     9088     -266     
============================================
  Files           669      669              
  Lines         53762    50708    -3054     
  Branches      11860    11226     -634     
============================================
- Hits          30155    29317     -838     
+ Misses        19378    17305    -2073     
+ Partials       4229     4086     -143
Flag Coverage Δ
unit 40.49% <90.00%> (+0.19%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@madurangasiriwardena madurangasiriwardena marked this pull request as ready for review September 25, 2025 12:16
@Copilot Copilot AI review requested due to automatic review settings September 25, 2025 12:40
Copilot
Copilot AI reviewed Sep 25, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request enhances OAuth2 callback URI validation by introducing configurable literal character enforcement in regular expressions. The main improvement addresses security concerns where regex special characters (., +, ?) could cause unintended matches in callback URI patterns.

  • Adds configuration-driven literal character enforcement for regex validation
  • Implements diagnostic logging to identify validation failures when literal enforcement would apply
  • Updates test coverage to validate the new enforcement behavior across various callback URI scenarios

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
AbstractResponseTypeRequestValidator.java Core implementation of configurable literal character enforcement and diagnostic logging
AbstractResponseTypeRequestValidatorCallbackURITest.java Comprehensive test suite for the new callback URI validation logic
testng.xml Test configuration update to include the new test class
OAuth2ServiceTest.java Simplified existing test data provider by removing redundant test cases

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

...a/org/wso2/carbon/identity/oauth2/authz/validators/AbstractResponseTypeRequestValidator.java
Comment on lines +359 to +360
Escape (.), (+), (?) only when followed by a letter/digit (so .com, .org, etc. get escaped),
but don't touch .* or .+ or .{n} .
Copy link
Preview

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The word 'charactors' in the PR title should be 'characters'. Also, the comment should end with proper punctuation and formatting.

Suggested change
Escape (.), (+), (?) only when followed by a letter/digit (so .com, .org, etc. get escaped),
but don't touch .* or .+ or .{n} .
Escape (.), (+), (?) only when followed by a letter/digit (so .com, .org, etc. get escaped),
but don't touch .* or .+ or .{n}.

Copilot uses AI. Check for mistakes.

@madurangasiriwardena madurangasiriwardena merged commit 3451434 into wso2-extensions:master Sep 26, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@DMHP DMHP DMHP approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ashanthamara @DMHP @madurangasiriwardena