fix(auth): prevent javascript url injection in oauth endpoints

Author: arjunkmrm

src/client/auth.ts

@@ -12,7 +12,7 @@ import {
   OpenIdProviderDiscoveryMetadataSchema
 } from "../shared/auth.js";
 import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
-import { checkResourceAllowed, resourceUrlFromServerUrl } from "../shared/auth-utils.js";
+import { checkResourceAllowed, resourceUrlFromServerUrl, isValidOAuthScheme } from "../shared/auth-utils.js";
 import {
   InvalidClientError,
   InvalidGrantError,
@@ -820,6 +820,9 @@ export async function startAuthorization(
   let authorizationUrl: URL;
   if (metadata) {
     authorizationUrl = new URL(metadata.authorization_endpoint);
+    if (!isValidOAuthScheme(authorizationUrl)) {
+      throw new Error(`Invalid authorization_endpoint URL scheme: ${authorizationUrl.protocol}. Only http: and https: are allowed.`);
+    }
 
     if (!metadata.response_types_supported.includes(responseType)) {
       throw new Error(
@@ -911,9 +914,15 @@ export async function exchangeAuthorization(
 ): Promise<OAuthTokens> {
   const grantType = "authorization_code";
 
-  const tokenUrl = metadata?.token_endpoint
-      ? new URL(metadata.token_endpoint)
-      : new URL("/token", authorizationServerUrl);
+  let tokenUrl: URL;
+  if (metadata?.token_endpoint) {
+    tokenUrl = new URL(metadata.token_endpoint);
+    if (!isValidOAuthScheme(tokenUrl)) {
+      throw new Error(`Invalid token_endpoint URL scheme: ${tokenUrl.protocol}. Only http: and https: are allowed.`);
+    }
+  } else {
+    tokenUrl = new URL("/token", authorizationServerUrl);
+  }
 
   if (
       metadata?.grant_types_supported &&
@@ -998,6 +1007,9 @@ export async function refreshAuthorization(
   let tokenUrl: URL;
   if (metadata) {
     tokenUrl = new URL(metadata.token_endpoint);
+    if (!isValidOAuthScheme(tokenUrl)) {
+      throw new Error(`Invalid token_endpoint URL scheme: ${tokenUrl.protocol}. Only http: and https: are allowed.`);
+    }
 
     if (
       metadata.grant_types_supported &&
@@ -1069,6 +1081,9 @@ export async function registerClient(
     }
 
     registrationUrl = new URL(metadata.registration_endpoint);
+    if (!isValidOAuthScheme(registrationUrl)) {
+      throw new Error(`Invalid registration_endpoint URL scheme: ${registrationUrl.protocol}. Only http: and https: are allowed.`);
+    }
   } else {
     registrationUrl = new URL("/register", authorizationServerUrl);
   }

src/shared/auth-utils.test.ts

@@ -1,4 +1,4 @@
-import { resourceUrlFromServerUrl, checkResourceAllowed } from './auth-utils.js';
+import { resourceUrlFromServerUrl, checkResourceAllowed, isValidOAuthScheme } from './auth-utils.js';
 
 describe('auth-utils', () => {
   describe('resourceUrlFromServerUrl', () => {
@@ -58,4 +58,18 @@ describe('auth-utils', () => {
       expect(checkResourceAllowed({ requestedResource: 'https://example.com/folder', configuredResource: 'https://example.com/folder/' })).toBe(false);
     });
   });
+
+  describe('isValidOAuthScheme', () => {
+    it('should accept http and https URLs', () => {
+      expect(isValidOAuthScheme(new URL('https://auth.example.com/oauth'))).toBe(true);
+      expect(isValidOAuthScheme(new URL('http://localhost:8080/token'))).toBe(true);
+    });
+
+    it('should reject dangerous schemes', () => {
+      expect(isValidOAuthScheme(new URL('javascript:alert("XSS")'))).toBe(false);
+      expect(isValidOAuthScheme(new URL('data:text/html,<script>alert("XSS")</script>'))).toBe(false);
+      expect(isValidOAuthScheme(new URL('file:///etc/passwd'))).toBe(false);
+      expect(isValidOAuthScheme(new URL('ftp://malicious.com/file'))).toBe(false);
+    });
+  });
 });

src/shared/auth-utils.ts

@@ -1,5 +1,5 @@
 /**
- * Utilities for handling OAuth resource URIs.
+ * Utilities for handling OAuth resource URIs and security validation.
  */
 
 /**
@@ -52,3 +52,18 @@ export function resourceUrlFromServerUrl(url: URL | string ): URL {
 
    return requestedPath.startsWith(configuredPath);
  }
+
+ /**
+ * Validates that a URL uses a safe scheme for OAuth endpoints (http or https only).
+ * 
+ * This prevents XSS (Cross-Site Scripting) and RCE (Remote Code Execution) attacks 
+ * where malicious authorization servers could return endpoints with dangerous schemes 
+ * like javascript:, data:, file:, etc. that could lead to code execution when 
+ * processed by OAuth clients.
+ * 
+ * @param url - The URL to validate
+ * @returns true if the URL scheme is safe (http: or https:), false otherwise
+ */
+export function isValidOAuthScheme(url: URL): boolean {
+  return ['https:', 'http:'].includes(url.protocol);
+}