fix: disable callback URLs with protocols "javascript" and "data"

.version

@@ -1 +1 @@
-2.4.0
+2.5.0

CHANGELOG.md

@@ -1,3 +1,34 @@
+## v2.5.0
+
+### Bug Fixes
+
+- better error messages when there's another instance of Pocket ID running ([#1370](https://github.com/pocket-id/pocket-id/pull/1370) by @ItalyPaleAle)
+- move tooltip inside of form input to prevent shifting ([#1369](https://github.com/pocket-id/pocket-id/pull/1369) by @GameTec-live)
+- derive LDAP admin access from group membership ([#1374](https://github.com/pocket-id/pocket-id/pull/1374) by @kmendell)
+- avoid fmt.Sprintf on custom GeoLiteDBUrl without %s placeholder ([#1384](https://github.com/pocket-id/pocket-id/pull/1384) by @choyri)
+- show a warning when SQLite DB is stored on NFS/SMB/FUSE ([#1381](https://github.com/pocket-id/pocket-id/pull/1381) by @ItalyPaleAle)
+- empty background restore after reboot ([#1379](https://github.com/pocket-id/pocket-id/pull/1379) by @taoso)
+- allow one-char username on signup ([#1378](https://github.com/pocket-id/pocket-id/pull/1378) by @taoso)
+
+### Features
+
+- allow use of svg, png, and ico images types for favicon ([#1289](https://github.com/pocket-id/pocket-id/pull/1289) by @taoso)
+- allow clearing background image ([#1290](https://github.com/pocket-id/pocket-id/pull/1290) by @taoso)
+- add `token_endpoint_auth_methods_supported` to `.well-known` ([#1388](https://github.com/pocket-id/pocket-id/pull/1388) by @owenvoke)
+- add TRUSTED_PLATFORM environment variable for gin ([#1372](https://github.com/pocket-id/pocket-id/pull/1372) by @choyri)
+
+### Other
+
+- add pr quality action ([e3905cf](https://github.com/pocket-id/pocket-id/commit/e3905cf3159fe0370778b0d7d3be64b4246d19be) by @stonith404)
+- separate querying LDAP and updating DB during sync ([#1371](https://github.com/pocket-id/pocket-id/pull/1371) by @ItalyPaleAle)
+- bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /backend in the go_modules group across 1 directory ([#1391](https://github.com/pocket-id/pocket-id/pull/1391) by @dependabot[bot])
+- Improve Latvian translations in lv.json ([#1382](https://github.com/pocket-id/pocket-id/pull/1382) by @Raito00)
+- ignore linter on app image bootstrap ([5251cd9](https://github.com/pocket-id/pocket-id/commit/5251cd97994177c96cb6f9ab3f88ca31367b5b55) by @kmendell)
+- upgrade dependencies ([e7e0176](https://github.com/pocket-id/pocket-id/commit/e7e0176316857186b9683e2f0cb0686189f86cfb) by @kmendell)
+- upgrade dependencies ([3c42a71](https://github.com/pocket-id/pocket-id/commit/3c42a713ce91b4061ffcf86d92cbb19294359ff8) by @kmendell)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.4.0...v2.5.0
+
 ## v2.4.0
 
 ### Bug Fixes

backend/internal/controller/oidc_controller.go

@@ -89,12 +89,19 @@ type OidcController struct {
 // @Router /api/oidc/authorize [post]
 func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	var input dto.AuthorizeOidcClientRequestDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	err := c.ShouldBindJSON(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 
-	code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	code, callbackURL, err := oc.oidcService.Authorize(
+		c.Request.Context(),
+		input,
+		c.GetString("userID"),
+		c.ClientIP(),
+		c.Request.UserAgent(),
+	)
 	if err != nil {
 		_ = c.Error(err)
 		return

backend/internal/dto/oidc_dto.go

@@ -33,8 +33,8 @@ type OidcClientWithAllowedGroupsCountDto struct {
 
 type OidcClientUpdateDto struct {
 	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
-	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url"`
+	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url_pattern"`
-	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url"`
+	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url_pattern"`
 	IsPublic                 bool                     `json:"isPublic"`
 	PkceEnabled              bool                     `json:"pkceEnabled"`
 	RequiresReauthentication bool                     `json:"requiresReauthentication"`
@@ -66,7 +66,7 @@ type OidcClientFederatedIdentityDto struct {
 type AuthorizeOidcClientRequestDto struct {
 	ClientID              string `json:"clientID" binding:"required"`
 	Scope                 string `json:"scope" binding:"required"`
-	CallbackURL           string `json:"callbackURL"`
+	CallbackURL           string `json:"callbackURL" binding:"omitempty,callback_url"`
 	Nonce                 string `json:"nonce"`
 	CodeChallenge         string `json:"codeChallenge"`
 	CodeChallengeMethod   string `json:"codeChallengeMethod"`

backend/internal/dto/validations.go

@@ -1,7 +1,9 @@
 package dto
 
 import (
+	"net/url"
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
@@ -19,38 +21,38 @@ var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9]([a-zA-Z0-9_.@-]*[a-
 var validateClientIDRegex = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
 
 func init() {
-	v := binding.Validator.Engine().(*validator.Validate)
+	engine := binding.Validator.Engine().(*validator.Validate)
 
 	// Maximum allowed value for TTLs
 	const maxTTL = 31 * 24 * time.Hour
 
-	if err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
+	validators := map[string]validator.Func{
-		return ValidateUsername(fl.Field().String())
+		"username": func(fl validator.FieldLevel) bool {
-	}); err != nil {
+			return ValidateUsername(fl.Field().String())
-		panic("Failed to register custom validation for username: " + err.Error())
+		},
+		"client_id": func(fl validator.FieldLevel) bool {
+			return ValidateClientID(fl.Field().String())
+		},
+		"ttl": func(fl validator.FieldLevel) bool {
+			ttl, ok := fl.Field().Interface().(utils.JSONDuration)
+			if !ok {
+				return false
+			}
+			// Allow zero, which means the field wasn't set
+			return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
+		},
+		"callback_url": func(fl validator.FieldLevel) bool {
+			return ValidateCallbackURL(fl.Field().String())
+		},
+		"callback_url_pattern": func(fl validator.FieldLevel) bool {
+			return ValidateCallbackURLPattern(fl.Field().String())
+		},
 	}
-
+	for k, v := range validators {
-	if err := v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
+		err := engine.RegisterValidation(k, v)
-		return ValidateClientID(fl.Field().String())
+		if err != nil {
-	}); err != nil {
+			panic("Failed to register custom validation for " + k + ": " + err.Error())
-		panic("Failed to register custom validation for client_id: " + err.Error())
-	}
-
-	if err := v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
-		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
-		if !ok {
-			return false
 		}
-		// Allow zero, which means the field wasn't set
-		return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
-	}); err != nil {
-		panic("Failed to register custom validation for ttl: " + err.Error())
-	}
-
-	if err := v.RegisterValidation("callback_url", func(fl validator.FieldLevel) bool {
-		return ValidateCallbackURL(fl.Field().String())
-	}); err != nil {
-		panic("Failed to register custom validation for callback_url: " + err.Error())
 	}
 }
 
@@ -64,8 +66,24 @@ func ValidateClientID(clientID string) bool {
 	return validateClientIDRegex.MatchString(clientID)
 }
 
-// ValidateCallbackURL validates callback URLs with support for wildcards
+// ValidateCallbackURL validates the input callback URL
-func ValidateCallbackURL(raw string) bool {
+func ValidateCallbackURL(str string) bool {
+	// Ensure the URL is a valid one and that the protocol is not "javascript:" or "data:"
+	u, err := url.Parse(str)
+	if err != nil {
+		return false
+	}
+
+	switch strings.ToLower(u.Scheme) {
+	case "javascript", "data":
+		return false
+	default:
+		return true
+	}
+}
+
+// ValidateCallbackURLPattern validates callback URL patterns, with support for wildcards
+func ValidateCallbackURLPattern(raw string) bool {
 	err := utils.ValidateCallbackURLPattern(raw)
 	return err == nil
 }

backend/internal/dto/validations_test.go

@@ -57,3 +57,28 @@ func TestValidateClientID(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateCallbackURL(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid https URL", "https://example.com/callback", true},
+		{"valid loopback URL", "http://127.0.0.1:49813/callback", true},
+		{"empty scheme", "//127.0.0.1:49813/callback", true},
+		{"valid custom scheme", "pocketid://callback", true},
+		{"invalid malformed URL", "http://[::1", false},
+		{"invalid missing scheme separator", "://example.com/callback", false},
+		{"rejects javascript scheme", "javascript:alert(1)", false},
+		{"rejects mixed case javascript scheme", "JavaScript:alert(1)", false},
+		{"rejects data scheme", "data:text/html;base64,PGgxPkhlbGxvPC9oMT4=", false},
+		{"rejects mixed case data scheme", "DaTa:text/html;base64,PGgxPkhlbGxvPC9oMT4=", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateCallbackURL(tt.input))
+		})
+	}
+}

backend/internal/service/oidc_service.go

@@ -125,9 +125,7 @@ func (s *OidcService) getJWKCache(ctx context.Context) (*jwk.Cache, error) {
 
 func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
 	tx := s.db.Begin()
-	defer func() {
+	defer tx.Rollback()
-		tx.Rollback()
-	}()
 
 	var client model.OidcClient
 	err := tx.

frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pocket-id-frontend",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "private": true,
   "type": "module",
   "scripts": {

frontend/src/routes/authorize/+page.svelte

@@ -71,19 +71,16 @@
 				reauthToken = await webauthnService.reauthenticate(authResponse);
 			}
 
-			await oidService
+			const authResult = await oidService.authorize(
-				.authorize(
+				client!.id,
-					client!.id,
+				scope,
-					scope,
+				callbackURL,
-					callbackURL,
+				nonce,
-					nonce,
+				codeChallenge,
-					codeChallenge,
+				codeChallengeMethod,
-					codeChallengeMethod,
+				reauthToken
-					reauthToken
+			);
-				)
+			onSuccess(authResult.code, authResult.callbackURL, authResult.issuer);
-				.then(async ({ code, callbackURL, issuer }) => {
-					onSuccess(code, callbackURL, issuer);
-				});
 		} catch (e) {
 			errorMessage = getWebauthnErrorMessage(e);
 			isLoading = false;
@@ -91,13 +88,17 @@
 	}
 
 	function onSuccess(code: string, callbackURL: string, issuer: string) {
+		const redirectURL = new URL(callbackURL);
+		if (redirectURL.protocol == 'javascript:' || redirectURL.protocol == 'data:') {
+			throw new Error('Invalid redirect URL protocol');
+		}
+
+		redirectURL.searchParams.append('code', code);
+		redirectURL.searchParams.append('state', authorizeState);
+		redirectURL.searchParams.append('iss', issuer);
+
 		success = true;
 		setTimeout(() => {
-			const redirectURL = new URL(callbackURL);
-			redirectURL.searchParams.append('code', code);
-			redirectURL.searchParams.append('state', authorizeState);
-			redirectURL.searchParams.append('iss', issuer);
-
 			window.location.href = redirectURL.toString();
 		}, 1000);
 	}