fix: tos_uri validation

ory · Feb 20, 2025 · fc80a5b · fc80a5b
1 parent a0e7ee2
commit fc80a5b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/client/validator.go b/client/validator.go
@@ -89,6 +89,18 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
 		}
 	}
 
+	if c.TermsOfServiceURI != "" {
+		u, err := url.ParseRequestURI(c.TermsOfServiceURI)
+		if err != nil {
+			return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Field tos_uri must be a valid URI."))
+		}
+
+		if u.Scheme != "https" && u.Scheme != "http" {
+			return errorsx.WithStack(ErrInvalidClientMetadata.WithHintf("tos_uri %s must use https:// or http:// as HTTP scheme.", c.TermsOfServiceURI))
+		}
+
+	}
+
 	if len(c.Secret) > 0 && len(c.Secret) < 6 {
 		return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Field client_secret must contain a secret that is at least 6 characters long."))
 	}

diff --git a/client/validator_test.go b/client/validator_test.go
@@ -38,8 +38,6 @@ func TestValidate(t *testing.T) {
 	reg := testhelpers.NewRegistryMemory(t, c, &contextx.Static{C: c.Source(ctx)})
 	v := NewValidator(reg)
 
-	testCtx := context.TODO()
-
 	dec := json.NewDecoder(strings.NewReader(validJWKS))
 	dec.DisallowUnknownFields()
 	var goodJWKS jose.JSONWebKeySet
@@ -130,6 +128,10 @@ func TestValidate(t *testing.T) {
 				assert.Equal(t, []string{"https://foo/"}, []string(c.PostLogoutRedirectURIs))
 			},
 		},
+		{
+			in:        &Client{ID: "foo", TermsOfServiceURI: "javascript:alert('XSS')"},
+			assertErr: assert.Error,
+		},
 		{
 			in: &Client{ID: "foo"},
 			check: func(t *testing.T, c *Client) {
@@ -164,7 +166,7 @@ func TestValidate(t *testing.T) {
 					return v
 				}
 			}
-			err := tc.v(t).Validate(testCtx, tc.in)
+			err := tc.v(t).Validate(ctx, tc.in)
 			if tc.assertErr != nil {
 				tc.assertErr(t, err)
 			} else {
@@ -180,7 +182,7 @@ type fakeHTTP struct {
 	c *http.Client
 }
 
-func (f *fakeHTTP) HTTPClient(ctx context.Context, opts ...httpx.ResilientOptions) *retryablehttp.Client {
+func (f *fakeHTTP) HTTPClient(_ context.Context, opts ...httpx.ResilientOptions) *retryablehttp.Client {
 	c := httpx.NewResilientClient(opts...)
 	c.HTTPClient = f.c
 	return c
@@ -191,7 +193,7 @@ func TestValidateSectorIdentifierURL(t *testing.T) {
 	var payload string
 
 	var h http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) {
-		w.Write([]byte(payload))
+		_, _ = w.Write([]byte(payload))
 	}
 	ts := httptest.NewTLSServer(h)
 	defer ts.Close()