Initial changes

Author: ashok672

msal/oauth2cli/authcode.py

@@ -112,26 +112,56 @@ def do_GET(self):
         # For flexibility, we choose to not check self.path matching redirect_uri
         #assert self.path.startswith('/THE_PATH_REGISTERED_BY_THE_APP')
         qs = parse_qs(urlparse(self.path).query)
-        if qs.get('code') or qs.get("error"):  # So, it is an auth response
-            auth_response = _qs2kv(qs)
-            logger.debug("Got auth response: %s", auth_response)
-            if self.server.auth_state and self.server.auth_state != auth_response.get("state"):
-                # OAuth2 successful and error responses contain state when it was used
-                # https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2.1
-                self._send_full_response("State mismatch")  # Possibly an attack
-            else:
-                template = (self.server.success_template
-                    if "code" in qs else self.server.error_template)
-                if _is_html(template.template):
-                    safe_data = _escape(auth_response)  # Foiling an XSS attack
-                else:
-                    safe_data = auth_response
-                self._send_full_response(template.safe_substitute(**safe_data))
-                self.server.auth_response = auth_response  # Set it now, after the response is likely sent
+        if qs.get('code') or qs.get("error"):  # Auth response via query string is not allowed
+            logger.error("Received auth response via query string (GET request). "
+                        "This is a security risk. Only form_post (POST) is supported.")
+            self._send_full_response(
+                "Authentication method not supported. "
+                "The application requires response_mode=form_post for security. "
+                "Please ensure your application registration uses form_post response mode.",
+                is_ok=False)
         else:
             self._send_full_response(self.server.welcome_page)
         # NOTE: Don't do self.server.shutdown() here. It'll halt the server.
 
+    def do_POST(self):
+        # Handle form_post response mode where auth code is sent via POST body
+        content_length = int(self.headers.get('Content-Length', 0))
+        post_data = self.rfile.read(content_length).decode('utf-8')
+        try:
+            from urllib.parse import parse_qs as parse_qs_post
+        except ImportError:
+            from urlparse import parse_qs as parse_qs_post
+        
+        qs = parse_qs_post(post_data)
+        if qs.get('code') or qs.get('error'):  # So, it is an auth response
+            auth_response = _qs2kv(qs)
+            logger.debug("Got auth response via POST: %s", auth_response)
+            self._process_auth_response(auth_response)
+        else:
+            self._send_full_response("Invalid POST request", is_ok=False)
+
+    def _process_auth_response(self, auth_response):
+        """Process the auth response from either GET or POST request."""
+        if self.server.auth_state and self.server.auth_state != auth_response.get("state"):
+            # OAuth2 successful and error responses contain state when it was used
+            # https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2.1
+            self._send_full_response("State mismatch")  # Possibly an attack
+        else:
+            template = (self.server.success_template
+                if "code" in auth_response else self.server.error_template)
+            if _is_html(template.template):
+                safe_data = _escape(auth_response)  # Foiling an XSS attack
+            else:
+                safe_data = dict(auth_response)  # Make a copy to avoid mutating original
+            # Provide default values for common OAuth2 response fields
+            # to avoid showing literal placeholder text like "$error_description"
+            safe_data.setdefault("error", "")
+            safe_data.setdefault("error_description", "")
+            safe_data.setdefault("error_uri", "")
+            self._send_full_response(template.safe_substitute(**safe_data))
+            self.server.auth_response = auth_response  # Set it now, after the response is likely sent
+
     def _send_full_response(self, body, is_ok=True):
         self.send_response(200 if is_ok else 400)
         content_type = 'text/html' if _is_html(body) else 'text/plain'

msal/oauth2cli/oauth2.py

@@ -176,7 +176,16 @@ def _build_auth_request_params(self, response_type, **kwargs):
         response_type = self._stringify(response_type)
 
         params = {'client_id': self.client_id, 'response_type': response_type}
-        params.update(kwargs)  # Note: None values will override params
+        # Strictly enforce form_post for security - query string is not allowed
+        params['response_mode'] = 'form_post'
+        if 'response_mode' in kwargs and kwargs['response_mode'] != 'form_post':
+            import warnings
+            warnings.warn(
+                "response_mode='{}' is not supported for security reasons. "
+                "Using form_post instead. Query string transmission of authorization "
+                "codes is insecure and has been disabled.".format(kwargs['response_mode']),
+                UserWarning)
+        params.update({k: v for k, v in kwargs.items() if k != 'response_mode'})  # Exclude response_mode from kwargs
         params = {k: v for k, v in params.items() if v is not None}  # clean up
         if params.get('scope'):
             params['scope'] = self._stringify(params['scope'])

tests/test_authcode.py

@@ -26,17 +26,159 @@ def test_no_two_concurrent_receivers_can_listen_on_same_port(self):
                     pass
 
     def test_template_should_escape_input(self):
+        """Test that POST request with HTML in error is properly escaped"""
         with AuthCodeReceiver() as receiver:
             receiver._scheduled_actions = [(  # Injection happens here when the port is known
                 1,  # Delay it until the receiver is activated by get_auth_response()
                 lambda: self.assertEqual(
                     "<html>&lt;tag&gt;foo&lt;/tag&gt;</html>",
-                    requests.get("http://localhost:{}?error=<tag>foo</tag>".format(
-                        receiver.get_port())).text,
-                    "Unsafe data in HTML should be escaped",
+                    requests.post(
+                        "http://localhost:{}".format(receiver.get_port()),
+                        data={"error": "<tag>foo</tag>"},
+                        headers={'Content-Type': 'application/x-www-form-urlencoded'}
+                    ).text,
             ))]
             receiver.get_auth_response(  # Starts server and hang until timeout
                 timeout=3,
                 error_template="<html>$error</html>",
             )
 
+    def test_get_request_with_auth_code_is_rejected(self):
+        """Test that GET request with auth code is rejected for security"""
+        with AuthCodeReceiver() as receiver:
+            test_code = "test_auth_code_12345"
+            test_state = "test_state_67890"
+            receiver._scheduled_actions = [(
+                1,
+                lambda: self._verify_get_rejection(
+                    receiver.get_port(),
+                    code=test_code,
+                    state=test_state
+                )
+            )]
+            result = receiver.get_auth_response(
+                timeout=3,
+                state=test_state,
+            )
+            # Should not receive auth response via GET
+            self.assertIsNone(result)
+
+    def _verify_get_rejection(self, port, **params):
+        """Helper to verify GET requests with auth codes are rejected"""
+        try:
+            from urllib.parse import urlencode
+        except ImportError:
+            from urllib import urlencode
+        
+        response = requests.get(
+            "http://localhost:{}?{}".format(port, urlencode(params))
+        )
+        # Verify error message about unsupported method
+        self.assertIn("not supported", response.text.lower())
+        self.assertEqual(response.status_code, 400)
+
+    def test_post_request_with_auth_code(self):
+        """Test that POST request with auth code is handled correctly (form_post response mode)"""
+        with AuthCodeReceiver() as receiver:
+            test_code = "test_auth_code_12345"
+            test_state = "test_state_67890"
+            receiver._scheduled_actions = [(
+                1,
+                lambda: self._send_post_auth_response(
+                    receiver.get_port(),
+                    code=test_code,
+                    state=test_state
+                )
+            )]
+            result = receiver.get_auth_response(
+                timeout=3,
+                state=test_state,
+                success_template="Success: Got code $code",
+            )
+            self.assertIsNotNone(result)
+            self.assertEqual(result.get("code"), test_code)
+            self.assertEqual(result.get("state"), test_state)
+
+    def test_post_request_with_error(self):
+        """Test that POST request with error is handled correctly"""
+        with AuthCodeReceiver() as receiver:
+            test_error = "access_denied"
+            test_error_description = "User denied access"
+            receiver._scheduled_actions = [(
+                1,
+                lambda: self._send_post_auth_response(
+                    receiver.get_port(),
+                    error=test_error,
+                    error_description=test_error_description
+                )
+            )]
+            result = receiver.get_auth_response(
+                timeout=3,
+                error_template="Error: $error - $error_description",
+            )
+            self.assertIsNotNone(result)
+            self.assertEqual(result.get("error"), test_error)
+            self.assertEqual(result.get("error_description"), test_error_description)
+
+    def test_post_request_state_mismatch(self):
+        """Test that POST request with mismatched state is rejected"""
+        with AuthCodeReceiver() as receiver:
+            test_code = "test_auth_code_12345"
+            wrong_state = "wrong_state"
+            expected_state = "expected_state"
+            receiver._scheduled_actions = [(
+                1,
+                lambda: self._send_post_auth_response(
+                    receiver.get_port(),
+                    code=test_code,
+                    state=wrong_state
+                )
+            )]
+            result = receiver.get_auth_response(
+                timeout=3,
+                state=expected_state,
+            )
+            # When state mismatches, the response should not be set
+            self.assertIsNone(result)
+
+    def test_post_request_escapes_html(self):
+        """Test that POST request with HTML in error is properly escaped"""
+        with AuthCodeReceiver() as receiver:
+            malicious_error = "<script>alert('xss')</script>"
+            receiver._scheduled_actions = [(
+                1,
+                lambda: self._verify_post_escaping(receiver.get_port(), malicious_error)
+            )]
+            receiver.get_auth_response(
+                timeout=3,
+                error_template="<html>$error</html>",
+            )
+
+    def _send_post_auth_response(self, port, **params):
+        """Helper to send POST request with auth response"""
+        try:
+            from urllib.parse import urlencode
+        except ImportError:
+            from urllib import urlencode
+        
+        response = requests.post(
+            "http://localhost:{}".format(port),
+            data=params,
+            headers={'Content-Type': 'application/x-www-form-urlencoded'}
+        )
+        return response
+
+    def _verify_post_escaping(self, port, malicious_error):
+        """Helper to verify HTML escaping in POST requests"""
+        response = self._send_post_auth_response(port, error=malicious_error)
+        # Verify that the malicious script is escaped
+        self.assertIn("&lt;script&gt;", response.text)
+        self.assertNotIn("<script>", response.text)
+        # Note: The escape function also escapes single quotes to &#x27;
+        expected = "<html>&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;</html>"
+        self.assertEqual(
+            expected,
+            response.text,
+            "HTML in POST data should be escaped to prevent XSS"
+        )
+

tests/test_response_mode.py

@@ -0,0 +1,112 @@
+"""Tests for form_post response mode in authorization code flow"""
+import unittest
+import warnings
+try:
+    from urllib.parse import urlparse, parse_qs
+except ImportError:
+    from urlparse import urlparse, parse_qs
+
+from msal.oauth2cli import Client
+
+
+class TestResponseMode(unittest.TestCase):
+    """Test response_mode parameter in authorization code flow"""
+    
+    def setUp(self):
+        self.client = Client(
+            {
+                "authorization_endpoint": "https://example.com/authorize",
+                "token_endpoint": "https://example.com/token"
+            },
+            "test_client_id"
+        )
+    
+    def test_default_response_mode_is_form_post(self):
+        """Test that response_mode defaults to form_post for security"""
+        flow = self.client.initiate_auth_code_flow(
+            scope=["openid", "profile"],
+            redirect_uri="http://localhost:8080"
+        )
+        
+        # Parse the auth_uri to check query parameters
+        parsed = urlparse(flow["auth_uri"])
+        params = parse_qs(parsed.query)
+        
+        # Verify response_mode is set to form_post
+        self.assertIn("response_mode", params)
+        self.assertEqual(params["response_mode"][0], "form_post")
+    
+    def test_explicit_query_mode_shows_security_warning(self):
+        """Test that attempting to use query mode raises a security warning"""
+        with warnings.catch_warnings(record=True) as w:
+            warnings.simplefilter("always")
+            flow = self.client.initiate_auth_code_flow(
+                scope=["openid", "profile"],
+                redirect_uri="http://localhost:8080",
+                response_mode="query"
+            )
+            
+            # Verify a warning was raised
+            self.assertEqual(len(w), 1)
+            self.assertTrue(issubclass(w[0].category, Warning))
+            self.assertIn("security", str(w[0].message).lower())
+        
+        # Verify form_post is still enforced despite explicit query request
+        parsed = urlparse(flow["auth_uri"])
+        params = parse_qs(parsed.query)
+        self.assertEqual(params["response_mode"][0], "form_post")
+    
+    def test_explicit_fragment_mode_shows_security_warning(self):
+        """Test that attempting to use fragment mode raises a security warning"""
+        with warnings.catch_warnings(record=True) as w:
+            warnings.simplefilter("always")
+            flow = self.client.initiate_auth_code_flow(
+                scope=["openid", "profile"],
+                redirect_uri="http://localhost:8080",
+                response_mode="fragment"
+            )
+            
+            # Verify a warning was raised
+            self.assertEqual(len(w), 1)
+            self.assertIn("fragment", str(w[0].message))
+        
+        # Verify form_post is still enforced
+        parsed = urlparse(flow["auth_uri"])
+        params = parse_qs(parsed.query)
+        self.assertEqual(params["response_mode"][0], "form_post")
+    
+    def test_build_auth_request_params_enforces_form_post(self):
+        """Test that _build_auth_request_params enforces form_post"""
+        params = self.client._build_auth_request_params(
+            response_type="code",
+            redirect_uri="http://localhost:8080",
+            scope=["openid", "profile"],
+            state="test_state"
+        )
+        
+        # Verify response_mode is form_post
+        self.assertIn("response_mode", params)
+        self.assertEqual(params["response_mode"], "form_post")
+    
+    def test_build_auth_request_params_ignores_explicit_query_mode(self):
+        """Test that _build_auth_request_params ignores explicit query mode"""
+        with warnings.catch_warnings(record=True) as w:
+            warnings.simplefilter("always")
+            params = self.client._build_auth_request_params(
+                response_type="code",
+                redirect_uri="http://localhost:8080",
+                scope=["openid", "profile"],
+                state="test_state",
+                response_mode="query"
+            )
+            
+            # Verify warning was raised
+            self.assertGreater(len(w), 0)
+        
+        # Verify form_post is enforced despite explicit request
+        self.assertIn("response_mode", params)
+        self.assertEqual(params["response_mode"], "form_post")
+
+
+if __name__ == '__main__':
+    unittest.main()