Handle invalid hex values in query strings in DRF extension

AetherUnbound · n2ygk · commit aebb1dead64b · 2024-08-12T11:38:32.000-04:00
diff --git a/AUTHORS b/AUTHORS
@@ -83,6 +83,7 @@ Kristian Rune Larsen
 Lazaros Toumanidis
 Ludwig Hähne
 Łukasz Skarżyński
+Madison Swain-Bowden
 Marcus Sonestedt
 Matias Seniquiel
 Michael Howitz
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per #1345; `validate_logout_request` per #1274
 
 ### Fixed
+* #1443 Query strings with invalid hex values now raise a SuspiciousOperation exception (in DRF extension)
 ### Security
 
 ## [2.4.0] - 2024-05-13
diff --git a/oauth2_provider/contrib/rest_framework/authentication.py b/oauth2_provider/contrib/rest_framework/authentication.py
@@ -1,5 +1,6 @@
 from collections import OrderedDict
 
+from django.core.exceptions import SuspiciousOperation
 from rest_framework.authentication import BaseAuthentication
 
 from ...oauth2_backends import get_oauthlib_core
@@ -23,10 +24,18 @@ def authenticate(self, request):
         Returns two-tuple of (user, token) if authentication succeeds,
         or None otherwise.
         """
+        if request is None:
+            return None
         oauthlib_core = get_oauthlib_core()
-        valid, r = oauthlib_core.verify_request(request, scopes=[])
-        if valid:
-            return r.user, r.access_token
+        try:
+            valid, r = oauthlib_core.verify_request(request, scopes=[])
+        except ValueError as error:
+            if str(error) == "Invalid hex encoding in query string.":
+                raise SuspiciousOperation(error)
+            raise
+        else:
+            if valid:
+                return r.user, r.access_token
         request.oauth2_error = getattr(r, "oauth2_error", {})
         return None
 
diff --git a/tests/test_rest_framework.py b/tests/test_rest_framework.py
@@ -415,3 +415,9 @@ def test_authentication_none(self):
         auth = self._create_authorization_header(self.access_token.token)
         response = self.client.get("/oauth2-authentication-none/", HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
+
+    def test_invalid_hex_string_in_query(self):
+        auth = self._create_authorization_header(self.access_token.token)
+        response = self.client.get("/oauth2-test/?q=73%%20of%20Arkansans", HTTP_AUTHORIZATION=auth)
+        # Should respond with a 400 rather than raise a ValueError
+        self.assertEqual(response.status_code, 400)
