Skip to content

fix(oauth2): avoid processing authorizationUrl when it is not a string #10452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 20, 2025
Merged

fix(oauth2): avoid processing authorizationUrl when it is not a string #10452

merged 3 commits into from
May 20, 2025

Conversation

glowcloud
Copy link
Contributor

This PR avoids treating authorizationUrl as a string when it is not a string, e.g. when it is not defined:

openapi: 3.0.4
components:
  securitySchemes:
    oAuthSample: 
      type: oauth2
      flows:
        implicit:
          # authorizationUrl: https://example.com/oauth/authorize  
          scopes:
            read_pets: read your pets
            write_pets: modify pets in your account
paths:
  /pets:
    patch:
      summary: Add a new pet
      security:
        - oAuthSample:
          - write_pets
          - read_pets

@glowcloud glowcloud requested a review from char0n May 19, 2025 12:48
@glowcloud glowcloud self-assigned this May 19, 2025
char0n
char0n reviewed May 20, 2025
View reviewed changes
src/core/oauth2-authorize.js Outdated
@@ -109,7 +109,11 @@ export default function authorize ( { auth, authActions, errActions, configs, au
} else {
sanitizedAuthorizationUrl = sanitizeUrl(authorizationUrl)
}
let url = [sanitizedAuthorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&")
let url = [sanitizedAuthorizationUrl, query.join("&")].join(
typeof authorizationUrl === "string" && authorizationUrl.indexOf("?") === -1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
typeof authorizationUrl === "string" && authorizationUrl.indexOf("?") === -1
typeof authorizationUrl === "string" && !authorizationUrl.includes("?")

char0n
char0n approved these changes May 20, 2025
View reviewed changes
Copy link
Contributor

@char0n char0n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with one suggestion

@glowcloud glowcloud merged commit 119052e into master May 20, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@char0n char0n char0n approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@glowcloud glowcloud

Labels
cat: auth type: bug version: 5.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@glowcloud @char0n