Skip to content

Commit 31a8bd5

Browse files
StekPerepolnenStekPerepolnen
committed
escape only values
1 parent 767932d commit 31a8bd5

10 files changed

+44
-41
lines changed

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
5050
RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
5151
}
5252

53-
void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionToken, const TString& serviceAccountId, const NActors::TActorContext& ctx) {
53+
void THandlerImpersonateStart::RequestImpersonatedToken(TString& sessionToken, TString& serviceAccountId, const NActors::TActorContext& ctx) {
5454
BLOG_D("Request impersonated token");
5555
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
5656
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
@@ -62,12 +62,12 @@ void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionTo
6262
}
6363
httpRequest->Set("Authorization", token); // Bearer included
6464

65+
CGIEscape(sessionToken);
66+
CGIEscape(serviceAccountId);
6567
TStringBuilder body;
6668
body << "session=" << sessionToken
6769
<< "&service_account_id=" << serviceAccountId;
68-
TString bodyStr = body;
69-
CGIEscape(bodyStr);
70-
httpRequest->Set<&NHttp::THttpRequest::Body>(bodyStr);
70+
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
7171

7272
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
7373
Become(&THandlerImpersonateStart::StateWork);

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpe
2323
const NActors::TActorId& httpProxyId,
2424
const TOpenIdConnectSettings& settings);
2525
void Bootstrap(const NActors::TActorContext& ctx);
26-
void RequestImpersonatedToken(const TString&, const TString&, const NActors::TActorContext&);
26+
void RequestImpersonatedToken(TString&, TString&, const NActors::TActorContext&);
2727
void ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx);
2828
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
2929
void ReplyAndDie(NHttp::THttpOutgoingResponsePtr httpResponse, const NActors::TActorContext& ctx);

ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -87,17 +87,15 @@ void THandlerSessionServiceCheckNebius::SendTokenExchangeRequest(const TStringBu
8787
token = tokenator->GetToken(Settings.SessionServiceTokenName);
8888
}
8989
httpRequest->Set("Authorization", token); // Bearer included
90-
91-
TString bodyStr = body;
92-
CGIEscape(bodyStr);
93-
httpRequest->Set<&NHttp::THttpRequest::Body>(bodyStr);
90+
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
9491

9592
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
9693
Become(&THandlerSessionServiceCheckNebius::StateExchange);
9794
}
9895

99-
void THandlerSessionServiceCheckNebius::ExchangeSessionToken(const TString& sessionToken, const NActors::TActorContext& ctx) {
96+
void THandlerSessionServiceCheckNebius::ExchangeSessionToken(TString& sessionToken, const NActors::TActorContext& ctx) {
10097
BLOG_D("Exchange session token");
98+
CGIEscape(sessionToken);
10199
TStringBuilder body;
102100
body << "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
103101
<< "&requested_token_type=urn:ietf:params:oauth:token-type:access_token"
@@ -107,8 +105,10 @@ void THandlerSessionServiceCheckNebius::ExchangeSessionToken(const TString& sess
107105
SendTokenExchangeRequest(body, ETokenExchangeType::SessionToken, ctx);
108106
}
109107

110-
void THandlerSessionServiceCheckNebius::ExchangeImpersonatedToken(const TString& sessionToken, const TString& impersonatedToken, const NActors::TActorContext& ctx) {
108+
void THandlerSessionServiceCheckNebius::ExchangeImpersonatedToken(TString& sessionToken, TString& impersonatedToken, const NActors::TActorContext& ctx) {
111109
BLOG_D("Exchange impersonated token");
110+
CGIEscape(sessionToken);
111+
CGIEscape(impersonatedToken);
112112
TStringBuilder body;
113113
body << "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
114114
<< "&requested_token_type=urn:ietf:params:oauth:token-type:access_token"

ydb/mvp/oidc_proxy/oidc_protected_page_nebius.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,8 @@ class THandlerSessionServiceCheckNebius : public THandlerSessionServiceCheck {
4242

4343
private:
4444
void SendTokenExchangeRequest(const TStringBuilder& body, const ETokenExchangeType exchangeType, const NActors::TActorContext& ctx);
45-
void ExchangeSessionToken(const TString& sessionToken, const NActors::TActorContext& ctx);
46-
void ExchangeImpersonatedToken(const TString& sessionToken, const TString& impersonatedToken, const NActors::TActorContext& ctx);
45+
void ExchangeSessionToken(TString& sessionToken, const NActors::TActorContext& ctx);
46+
void ExchangeImpersonatedToken(TString& sessionToken, TString& impersonatedToken, const NActors::TActorContext& ctx);
4747
void ClearImpersonatedCookie(const NActors::TActorContext& ctx);
4848
void RequestAuthorizationCode(const NActors::TActorContext& ctx);
4949
void ForwardUserRequest(TStringBuf authHeader, const NActors::TActorContext& ctx, bool secure = false) override;

ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -633,16 +633,16 @@ Y_UNIT_TEST_SUITE(Mvp) {
633633
const NActors::TActorId sessionCreator = runtime.Register(new TSessionCreateHandler(edge, settings));
634634
incomingRequest = new NHttp::THttpIncomingRequest();
635635
TStringBuilder request;
636-
request << "GET /auth/callback?code=code_template&state=" << state << " HTTP/1.1\r\n";
636+
request << "GET /auth/callback?code=code_template#&state=" << state << " HTTP/1.1\r\n";
637637
request << "Host: " + hostProxy + "\r\n";
638638
request << "Cookie: " << setCookie.NextTok(";") << "\r\n";
639639
EatWholeString(incomingRequest, redirectStrategy.CreateRequest(request));
640640
runtime.Send(new IEventHandle(sessionCreator, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
641641

642642
auto outgoingRequestEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingRequest>(handle);
643643
const TStringBuf& body = outgoingRequestEv->Request->Body;
644-
UNIT_ASSERT_STRING_CONTAINS(body, "code%3Dcode_template");
645-
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type%3Dauthorization_code");
644+
UNIT_ASSERT_STRING_CONTAINS(body, "code=code_template%23");
645+
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type=authorization_code");
646646

647647
const TString authorizationServerResponse = R"___({"access_token":"access_token_value","token_type":"bearer","expires_in":43199,"scope":"openid","id_token":"id_token_value"})___";
648648
NHttp::THttpIncomingResponsePtr incomingResponse = new NHttp::THttpIncomingResponse(outgoingRequestEv->Request);
@@ -724,7 +724,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
724724
}
725725
const TString hostProxy = "oidcproxy.net";
726726
TStringBuilder request;
727-
request << "GET /auth/callback?code=code_template&state=" << wrongState << " HTTP/1.1\r\n";
727+
request << "GET /auth/callback?code=code_template#&state=" << wrongState << " HTTP/1.1\r\n";
728728
request << "Host: " + hostProxy + "\r\n";
729729
TString cookie = context.CreateYdbOidcCookie(settings.ClientSecret);
730730
TStringBuf cookieBuf(cookie);
@@ -778,7 +778,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
778778

779779
TContext context({.State = "test_state", .RequestedAddress = "/requested/page", .AjaxRequest = false});
780780
TStringBuilder request;
781-
request << "GET /auth/callback?code=code_template&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
781+
request << "GET /auth/callback?code=code_template#&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
782782
request << "Host: oidcproxy.net\r\n";
783783
TString cookie = context.CreateYdbOidcCookie(settings.ClientSecret);
784784
TStringBuf cookieBuf(cookie);
@@ -793,8 +793,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
793793
TAutoPtr<IEventHandle> handle;
794794
auto outgoingRequestEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingRequest>(handle);
795795
const TStringBuf& body = outgoingRequestEv->Request->Body;
796-
UNIT_ASSERT_STRING_CONTAINS(body, "code%3Dcode_template");
797-
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type%3Dauthorization_code");
796+
UNIT_ASSERT_STRING_CONTAINS(body, "code=code_template%23");
797+
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type=authorization_code");
798798

799799
const TString authorizationServerResponse = R"___({"access_token":"access_token_value","token_type":"bearer","expires_in":43199,"scope":"openid","id_token":"id_token_value"})___";
800800
NHttp::THttpIncomingResponsePtr incomingResponse = new NHttp::THttpIncomingResponse(outgoingRequestEv->Request);
@@ -832,7 +832,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
832832
const NActors::TActorId sessionCreator = runtime.Register(new TSessionCreateHandler(edge, settings));
833833
TContext context({.State = "test_state", .RequestedAddress = "/requested/page", .AjaxRequest = redirectStrategy.IsAjaxRequest()});
834834
TStringBuilder request;
835-
request << "GET /auth/callback?code=code_template&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
835+
request << "GET /auth/callback?code=code_template#&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
836836
request << "Host: oidcproxy.net\r\n";
837837
TString cookie = context.CreateYdbOidcCookie(settings.ClientSecret);
838838
TStringBuf cookieBuf(cookie);
@@ -848,8 +848,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
848848
TAutoPtr<IEventHandle> handle;
849849
auto outgoingRequestEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingRequest>(handle);
850850
const TStringBuf& body = outgoingRequestEv->Request->Body;
851-
UNIT_ASSERT_STRING_CONTAINS(body, "code%3Dcode_template");
852-
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type%3Dauthorization_code");
851+
UNIT_ASSERT_STRING_CONTAINS(body, "code=code_template%23");
852+
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type=authorization_code");
853853

854854
const TString authorizationServerResponse = R"___({"access_token":"invalid_access_token","token_type":"bearer","expires_in":43199,"scope":"openid","id_token":"id_token_value"})___";
855855
NHttp::THttpIncomingResponsePtr incomingResponse = new NHttp::THttpIncomingResponse(outgoingRequestEv->Request);
@@ -899,7 +899,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
899899

900900
TContext context({.State = "test_state", .RequestedAddress = "/requested/page", .AjaxRequest = false});
901901
TStringBuilder request;
902-
request << "GET /callback?code=code_template&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
902+
request << "GET /callback?code=code_template#&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
903903
request << "Host: oidcproxy.net\r\n";
904904
TString cookie = context.CreateYdbOidcCookie(settings.ClientSecret);
905905
TStringBuf cookieBuf(cookie);
@@ -915,8 +915,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
915915
auto outgoingRequestEv = runtime.GrabEdgeEvent<NHttp::TEvHttpProxy::TEvHttpOutgoingRequest>(handle);
916916
const TStringBuf& body = outgoingRequestEv->Request->Body;
917917

918-
UNIT_ASSERT_STRING_CONTAINS(body, "code%3Dcode_template");
919-
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type%3Dauthorization_code");
918+
UNIT_ASSERT_STRING_CONTAINS(body, "code=code_template%23");
919+
UNIT_ASSERT_STRING_CONTAINS(body, "grant_type=authorization_code");
920920

921921
const TString authorizationServerResponse = R"___({"access_token":"access_token_value","token_type":"bearer","expires_in":43199,"scope":"openid","id_token":"id_token_value"})___";
922922
NHttp::THttpIncomingResponsePtr incomingResponse = new NHttp::THttpIncomingResponse(outgoingRequestEv->Request);
@@ -1062,7 +1062,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
10621062
TContext context({.State = "good_state", .RequestedAddress = "/requested/page", .AjaxRequest = false});
10631063
const TString hostProxy = "oidcproxy.net";
10641064
TStringBuilder request;
1065-
request << "GET /auth/callback?code=code_template&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
1065+
request << "GET /auth/callback?code=code_template#&state=" << context.GetState(settings.ClientSecret) << " HTTP/1.1\r\n";
10661066
request << "Host: " + hostProxy + "\r\n";
10671067
NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
10681068
EatWholeString(incomingRequest, request);
@@ -1106,7 +1106,7 @@ Y_UNIT_TEST_SUITE(Mvp) {
11061106
}
11071107
const TString hostProxy = "oidcproxy.net";
11081108
TStringBuilder request;
1109-
request << "GET /auth/callback?code=code_template&state=" << wrongState << " HTTP/1.1\r\n";
1109+
request << "GET /auth/callback?code=code_template#&state=" << wrongState << " HTTP/1.1\r\n";
11101110
request << "Host: " + hostProxy + "\r\n";
11111111
TString cookie = context.CreateYdbOidcCookie(settings.ClientSecret);
11121112
TStringBuf cookieBuf(cookie);

ydb/mvp/oidc_proxy/oidc_session_create.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ class THandlerSessionCreate : public NActors::TActorBootstrapped<THandlerSession
2828
const NActors::TActorId& httpProxyId,
2929
const TOpenIdConnectSettings& settings);
3030

31-
virtual void RequestSessionToken(const TString&, const NActors::TActorContext&) = 0;
31+
virtual void RequestSessionToken(TString&, const NActors::TActorContext&) = 0;
3232
virtual void ProcessSessionToken(const TString& accessToken, const NActors::TActorContext&) = 0;
3333

3434
void Bootstrap(const NActors::TActorContext& ctx);

ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,13 @@ THandlerSessionCreateNebius::THandlerSessionCreateNebius(const NActors::TActorId
1414
: THandlerSessionCreate(sender, request, httpProxyId, settings)
1515
{}
1616

17-
void THandlerSessionCreateNebius::RequestSessionToken(const TString& code, const NActors::TActorContext& ctx) {
18-
TStringBuilder body;
17+
void THandlerSessionCreateNebius::RequestSessionToken(TString& code, const NActors::TActorContext& ctx) {
1918
TStringBuf host = Request->Host;
19+
CGIEscape(code);
20+
21+
TStringBuilder body;
2022
body << "code=" << code
21-
<< "&client_id=" << Settings.ClientId
23+
<< "&client_id=" << code
2224
<< "&grant_type=authorization_code"
2325
<< "&redirect_uri="
2426
<< (Request->Endpoint->Secure ? "https://" : "http://")
@@ -28,10 +30,7 @@ void THandlerSessionCreateNebius::RequestSessionToken(const TString& code, const
2830
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetTokenEndpointURL());
2931
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
3032
httpRequest->Set("Authorization", Settings.GetAuthorizationString());
31-
32-
TString bodyStr = body;
33-
CGIEscape(bodyStr);
34-
httpRequest->Set<&NHttp::THttpRequest::Body>(bodyStr);
33+
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
3534

3635
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
3736
Become(&THandlerSessionCreateNebius::StateWork);

ydb/mvp/oidc_proxy/oidc_session_create_nebius.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ class THandlerSessionCreateNebius : public THandlerSessionCreate {
1616
const NActors::TActorId& httpProxyId,
1717
const TOpenIdConnectSettings& settings);
1818

19-
void RequestSessionToken(const TString& code, const NActors::TActorContext& ctx) override;
19+
void RequestSessionToken(TString& code, const NActors::TActorContext& ctx) override;
2020
void ProcessSessionToken(const TString& sessionToken, const NActors::TActorContext& ctx) override;
2121

2222
private:

ydb/mvp/oidc_proxy/oidc_session_create_yandex.cpp

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,17 @@ THandlerSessionCreateYandex::THandlerSessionCreateYandex(const NActors::TActorId
1717
: THandlerSessionCreate(sender, request, httpProxyId, settings)
1818
{}
1919

20-
void THandlerSessionCreateYandex::RequestSessionToken(const TString& code, const NActors::TActorContext& ctx) {
20+
void THandlerSessionCreateYandex::RequestSessionToken(TString& code, const NActors::TActorContext& ctx) {
2121
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetTokenEndpointURL());
2222
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
2323
httpRequest->Set("Authorization", Settings.GetAuthorizationString());
24-
TString body = "grant_type=authorization_code&code=" + code;
25-
CGIEscape(body);
24+
25+
CGIEscape(code);
26+
TStringBuilder body;
27+
body << "grant_type=authorization_code"
28+
<< "&code=" << code;
2629
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
30+
2731
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
2832
Become(&THandlerSessionCreateYandex::StateWork);
2933
}

ydb/mvp/oidc_proxy/oidc_session_create_yandex.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ class THandlerSessionCreateYandex : public THandlerSessionCreate {
1818
const NActors::TActorId& httpProxyId,
1919
const TOpenIdConnectSettings& settings);
2020

21-
void RequestSessionToken(const TString& code, const NActors::TActorContext& ctx) override;
21+
void RequestSessionToken(TString& code, const NActors::TActorContext& ctx) override;
2222
void ProcessSessionToken(const TString& sessionToken, const NActors::TActorContext& ctx) override;
2323
void HandleCreateSession(TEvPrivate::TEvCreateSessionResponse::TPtr event, const NActors::TActorContext& ctx);
2424
void HandleError(TEvPrivate::TEvErrorResponse::TPtr event, const NActors::TActorContext& ctx);

0 commit comments

Comments
 (0)