Fix MSC2966 compliance around redirect_uri validity

t3chguy · t3chguy · commit 5ec9bfc7fa66 · 2025-05-07T18:49:52.000+01:00
Fixes #4528
diff --git a/policies/client_registration/client_registration.rego b/policies/client_registration/client_registration.rego
@@ -13,7 +13,7 @@ allow if {
 
 parse_uri(url) := obj if {
 	is_string(url)
-	url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)$`
+	url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)?(?P<query>\?[A-Za-z0-9/.-=]*)?$`
 	[matches] := regex.find_all_string_submatch_n(url_regex, url, 1)
 	obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]}
 }
diff --git a/policies/client_registration/client_registration_test.rego b/policies/client_registration/client_registration_test.rego
@@ -212,7 +212,7 @@ test_web_redirect_uri if {
 	client_registration.allow with input.client_metadata as {
 		"application_type": "web",
 		"client_uri": "https://example.com/",
-		"redirect_uris": ["https://example.com/second/callback", "https://example.com/callback"],
+		"redirect_uris": ["https://example.com/second/callback", "https://example.com/callback", "https://example.com/callback?query=value"],
 	}
 }
 
@@ -289,6 +289,14 @@ test_web_redirect_uri_localhost_not_allowed if {
 	}
 }
 
+test_web_redirect_uri_with_query if {
+	client_registration.allow with input.client_metadata as {
+		"application_type": "web",
+		"client_uri": "https://example.com/",
+		"redirect_uris": ["https://example.com/callback?query=value", "https://example.com?query=value"],
+	}
+}
+
 test_native_redirect_uri_allowed if {
 	# This has all the redirect URIs types we're supporting for native apps
 	client_registration.allow with input.client_metadata as {
@@ -387,4 +395,4 @@ test_reverse_dns_match if {
 	client_registration.reverse_dns_match("example.com", "com.example.app")
 	not client_registration.reverse_dns_match("example.com", "org.example")
 	not client_registration.reverse_dns_match("test.com", "com.example")
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ allow if {`
`13`	`13`
`14`	`14`	`parse_uri(url) := obj if {`
`15`	`15`	`is_string(url)`
`16`		- url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]):(?://(?P<host>((?:(?:[a-z0-9]\|[a-z0-9][a-z0-9-][a-z0-9])\.)(?:[a-z0-9]\|[a-z0-9][a-z0-9-][a-z0-9])\|127.0.0.1\|0.0.0.0\|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)$`
	`16`	+ url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]):(?://(?P<host>((?:(?:[a-z0-9]\|[a-z0-9][a-z0-9-][a-z0-9])\.)(?:[a-z0-9]\|[a-z0-9][a-z0-9-][a-z0-9])\|127.0.0.1\|0.0.0.0\|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-])?(?P<query>\?[A-Za-z0-9/.-=])?$`
`17`	`17`	`[matches] := regex.find_all_string_submatch_n(url_regex, url, 1)`
`18`	`18`	`obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]}`
`19`	`19`	`}`