Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate OAuth Redirect URIs #32643

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Validate OAuth Redirect URIs #32643

wants to merge 9 commits into from
+299 −28

Conversation

bohde
Copy link
Contributor

@bohde bohde commented Nov 25, 2024

This fixes a TODO in the code to validate the RedirectURIs when adding or editing an OAuth application in user settings.

This also includes a refactor of the user settings tests to only create the DB once per top-level test to avoid reloading fixtures.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 25, 2024
@pull-request-size pull-request-size bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 25, 2024
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Nov 25, 2024
lunny
lunny reviewed Nov 26, 2024
View reviewed changes
modules/validation/binding.go Outdated
// URL validation rule
binding.AddRule(&binding.Rule{
IsMatch: func(rule string) bool {
return strings.HasPrefix(rule, "ValidUrlList")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return strings.HasPrefix(rule, "ValidUrlList")
return strings.EqualFold(rule, "ValidUrlList")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in e536a9d

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But "why"?

Shouldn't we be strict for names?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want a strict name, it should be == here. But I don't think HasPrefix is right here. For other examples, some maybe also not be right and some are for xxx( so they use HasPrefix.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, but why it was changed to EqualFold?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I misunderstood how other rules implemented. I thought case insensitive seems reasonable. Now I think we should follow the old styles to keep consistency.

@lunny lunny added this to the 1.23.0 milestone Nov 26, 2024
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 27, 2024
wxiaoguang
wxiaoguang requested changes Nov 27, 2024
View reviewed changes
Copy link
Contributor

@wxiaoguang wxiaoguang left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think EqualFold is right. @lunny

#32643 (comment)

image

image

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 27, 2024
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 27, 2024
edited
Loading

Feel free to discard my change request if the concern is addressed, in case I am not at computer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wxiaoguang wxiaoguang wxiaoguang requested changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/go Pull requests that update Go code size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.
4 participants
@bohde @wxiaoguang @lunny @GiteaBot