@@ -289,6 +289,24 @@ def test_code_post_auth_forbidden_redirect_uri(self):
289289 response = self .client .post (reverse ('oauth2_provider:authorize' ), data = form_data )
290290 self .assertEqual (response .status_code , 400 )
291291
292+ def test_code_post_auth_malicious_redirect_uri (self ):
293+ """
294+ Test validation of a malicious redirect_uri
295+ """
296+ self .client .login (username = "test_user" , password = "123456" )
297+
298+ form_data = {
299+ 'client_id' : self .application .client_id ,
300+ 'state' : 'random_state_string' ,
301+ 'scope' : 'read write' ,
302+ 'redirect_uri' : '/../' ,
303+ 'response_type' : 'code' ,
304+ 'allow' : True ,
305+ }
306+
307+ response = self .client .post (reverse ('oauth2_provider:authorize' ), data = form_data )
308+ self .assertEqual (response .status_code , 400 )
309+
292310
293311class TestAuthorizationCodeTokenView (BaseTest ):
294312 def get_auth (self ):
@@ -594,6 +612,27 @@ def test_public(self):
594612 self .assertEqual (content ['scope' ], "read write" )
595613 self .assertEqual (content ['expires_in' ], oauth2_settings .ACCESS_TOKEN_EXPIRE_SECONDS )
596614
615+ def test_malicious_redirect_uri (self ):
616+ """
617+ Request an access token using client_type: public and ensure redirect_uri is
618+ properly validated.
619+ """
620+ self .client .login (username = "test_user" , password = "123456" )
621+
622+ self .application .client_type = Application .CLIENT_PUBLIC
623+ self .application .save ()
624+ authorization_code = self .get_auth ()
625+
626+ token_request_data = {
627+ 'grant_type' : 'authorization_code' ,
628+ 'code' : authorization_code ,
629+ 'redirect_uri' : '/../' ,
630+ 'client_id' : self .application .client_id
631+ }
632+
633+ response = self .client .post (reverse ('oauth2_provider:token' ), data = token_request_data )
634+ self .assertEqual (response .status_code , 400 )
635+
597636
598637class TestAuthorizationCodeProtectedResource (BaseTest ):
599638 def test_resource_access_allowed (self ):
0 commit comments