fix(oauth2): prevent code injection in OAuth2 callback handling#8360
Closed
abhishekp-bruno wants to merge 26 commits into
Closed
fix(oauth2): prevent code injection in OAuth2 callback handling#8360abhishekp-bruno wants to merge 26 commits into
abhishekp-bruno wants to merge 26 commits into
Conversation
abhishekp-bruno
requested review from
bijin-bruno,
helloanoop,
lohit-bruno,
naman-bruno,
sid-bruno,
utkarsh-bruno and
vijayh-bruno
as code owners
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds OAuth2 state generation and validation across authorization-code and implicit flows, updates OAuth2 error display in the app response pane, and adds fixtures plus end-to-end coverage for matching and mismatched callback state. ChangesOAuth2 State Validation
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/bruno-electron/src/utils/oauth2.js (1)
316-339: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winEnsure the generated state is the only
stateparameter.If
authorizationUrlalready containsstate, oradditionalParameters.authorizationincludes a query param namedstate, these flows can send duplicatestatevalues. Providers may echo a different duplicate thaneffectiveState, causing valid callbacks to fail state validation.Proposed minimal fix
- if (effectiveState) { - authorizationUrlWithQueryParams.searchParams.append('state', effectiveState); - } if (additionalParameters?.authorization?.length) { additionalParameters.authorization.forEach((param) => { if (param.enabled && param.name) { if (param.sendIn === 'queryparams') { authorizationUrlWithQueryParams.searchParams.append(param.name, param.value || ''); @@ } }); } + if (effectiveState) { + authorizationUrlWithQueryParams.searchParams.set('state', effectiveState); + }- if (effectiveState) { - authorizationUrlWithQueryParams.searchParams.append('state', effectiveState); - } if (additionalParameters?.authorization?.length) { additionalParameters.authorization.forEach((param) => { if (param.enabled && param.name) { if (param.sendIn === 'queryparams') { authorizationUrlWithQueryParams.searchParams.append(param.name, param.value || ''); @@ } }); } + if (effectiveState) { + authorizationUrlWithQueryParams.searchParams.set('state', effectiveState); + }Also applies to: 854-872
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/bruno-electron/src/utils/oauth2.js` around lines 316 - 339, The authorization URL builder in oauth2.js can append multiple state query parameters when the base authorizationUrl already includes state or when additionalParameters.authorization adds a query param named state. Update the logic around authorizationUrlWithQueryParams and the additionalParameters.authorization loop so only effectiveState is emitted as state, and suppress or replace any existing state entry before finalizing the URL.
🧹 Nitpick comments (1)
packages/bruno-electron/src/utils/oauth2.js (1)
715-723: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy liftAdd regression coverage for the new state contract.
Please cover generated state, user-prefixed state, and match/missing/mismatch callback behavior for query and hash responses. As per coding guidelines, “Add tests for any new functionality or meaningful changes.”
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/bruno-electron/src/utils/oauth2.js` around lines 715 - 723, Add regression tests for the new OAuth2 state handling in generateState and the callback validation flow: cover the default generated state, the userState-prefixed state case, and callback behavior for query and hash responses when the state matches, is missing, or mismatches. Update or extend the relevant tests around generateState and the callback handling logic in oauth2.js so the new contract is explicitly verified.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@packages/bruno-electron/src/utils/oauth2.js`:
- Around line 316-339: The authorization URL builder in oauth2.js can append
multiple state query parameters when the base authorizationUrl already includes
state or when additionalParameters.authorization adds a query param named state.
Update the logic around authorizationUrlWithQueryParams and the
additionalParameters.authorization loop so only effectiveState is emitted as
state, and suppress or replace any existing state entry before finalizing the
URL.
---
Nitpick comments:
In `@packages/bruno-electron/src/utils/oauth2.js`:
- Around line 715-723: Add regression tests for the new OAuth2 state handling in
generateState and the callback validation flow: cover the default generated
state, the userState-prefixed state case, and callback behavior for query and
hash responses when the state matches, is missing, or mismatches. Update or
extend the relevant tests around generateState and the callback handling logic
in oauth2.js so the new contract is explicitly verified.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: cecfae08-c55d-4c65-ba45-124a95324e0e
📒 Files selected for processing (4)
packages/bruno-electron/src/ipc/network/authorize-user-in-system-browser.jspackages/bruno-electron/src/ipc/network/authorize-user-in-window.jspackages/bruno-electron/src/utils/oauth2-protocol-handler.jspackages/bruno-electron/src/utils/oauth2.js
Contributor
|
@abhishekp-bruno Are there tests we can write to assert this behaviour ? |
Contributor
Author
|
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/bruno-electron/tests/utils/oauth2-protocol-handler.spec.js`:
- Around line 58-84: The implicit-flow tests in handleOauth2ProtocolUrl
currently cover matching and mismatching hash state, but miss the case where an
expected state is registered and the callback omits state entirely. Add a
negative-path test alongside the existing implicit flow cases in
oauth2-protocol-handler.spec.js that registers an expectedState via
registerOauth2AuthorizationRequest, calls handleOauth2ProtocolUrl with a hash
lacking state, and asserts reject is called with a state mismatch-style error
while resolve is not called.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: e97578ed-7b32-407f-96ce-4f9dbe6287f8
📒 Files selected for processing (2)
packages/bruno-electron/src/utils/oauth2.jspackages/bruno-electron/tests/utils/oauth2-protocol-handler.spec.js
🚧 Files skipped from review as they are similar to previous changes (1)
- packages/bruno-electron/src/utils/oauth2.js
…fix/code-injection-vulnerability
abhishekp-bruno
changed the title
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/auth/oauth2/oauth2-state-validation.spec.ts`:
- Line 204: Remove the brittle negative toast check in the
oauth2-state-validation spec and rely on the existing response-pane assertions
to validate the failure path. Update the test around the Token fetched
successfully toast so it no longer uses a negative visibility assertion on the
transient notification; keep the rest of the flow intact.
- Around line 110-117: The oauth2-state-validation test helper is only asserting
the generated 32-hex state shape, so it never covers the user-supplied state
path added in this PR. Update the suite around getIssuedState and the existing
request fixtures to include one case with a fixed non-empty state, then verify
the emitted callback state reflects the exact appended nonce behavior Bruno
produces rather than the raw input value. Use the
oauth2-state-validation.spec.ts fixture setup and the
stateFromAuthorizationUrl/getCapturedAuthUrl flow to add an assertion for the
user-provided state branch.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 0a05b92e-6216-4d86-94ea-de305ba6d0ab
📒 Files selected for processing (7)
packages/bruno-app/src/components/RequestPane/Auth/OAuth2/Oauth2ActionButtons/index.jstests/auth/oauth2/fixtures/collection/Authorization Code.brutests/auth/oauth2/fixtures/collection/Implicit.brutests/auth/oauth2/fixtures/collection/bruno.jsontests/auth/oauth2/fixtures/collection/environments/Local.brutests/auth/oauth2/init-user-data/preferences.jsontests/auth/oauth2/oauth2-state-validation.spec.ts
✅ Files skipped from review due to trivial changes (2)
- tests/auth/oauth2/fixtures/collection/environments/Local.bru
- tests/auth/oauth2/init-user-data/preferences.json
…fix/code-injection-vulnerability
…fix/code-injection-vulnerability
abhishekp-bruno
changed the title
… events to match renderer expectations and add regression tests (usebruno#8370)
* test cases for workspace import and validation TC-969, jira: https://usebruno.atlassian.net/browse/BRU-3575 * incorporated comments, moved findWorkspaceDirByName function to helpers.ts, fixed all the comments * modified as per comment provided , removed css locators , used playwright inbuilt methods , handled timeout * Created file structure as per comment provided, added tc-id , resolved code-rabbit review * incorporated comments removed commented line, removed timeouts, modified package.json added package in dev dependencies * changed const l to locators for better readbility * - Reorganized test helpers: split title-bar locators into title-bar.ts and import-workspace flow into workspace/import-workspace.ts for reuse - Replaced brittle .bruno-modal-card/CSS locators with stable role/testid/label based locators - Added a data-testid for the Import Workspace modal and removed the redundant one - Cleaned up unnecessary comments - Updated package-lock.json * minor changes * minor changes * addressed comments * addressed comments for variable naming * minor changes
…able disabled scripting APIs (usebruno#8315) * feat(variables): add variable persistence with scripting feat(collections): implement script-driven update for collection variables, ensuring direct root modification and draft synchronization feat(collections): enhance script variable management with baseline tracking and draft preservation * feat(variables): add runtime variable updates and optimize disk writes by implementing dirty flags fix(collections): handle errors during environment persistence in script execution feat(collections): implement baseline clearing for script execution and optimize variable update handling feat(tests): add default persistence tests for environment variables and update runtime variable handling refactor(collections): streamline variable update handling and improve draft management by removing redundant comments and optimizing code clarity test(collection-vars): add verification for draft edits and script variable visibility in collection settings UI refactor(collection-vars): update header value selection logic for improved clarity and accuracy in draft isolation tests * feat(global-environments): enhance global environment updates to resolve stale active UIDs and improve persistence logic - Updated the `updateGlobalEnvironments` reducer to handle stale active UIDs by matching against environment names. - Improved the logic for setting global environments and active UIDs to ensure consistency after disk reloads. - Removed outdated tests related to persisted values in favor of more relevant assertions for environment variable handling. * feat(variables): enhance typed value handling and persistence in global and collection environments - Added tests to infer data types (number, boolean, object) when setting environment and collection variables. - Updated the logic to preserve existing data types when variables are not modified by scripts. - Implemented dirty flags to track changes in typed variables, ensuring accurate persistence across sessions. - Refactored related tests to verify the correct behavior of typed variables in various scenarios. * refactor(variables): streamline data type inference and enhance deletion methods - Removed redundant data type inference logic from global and collection variable updates to simplify the codebase. - Updated deletion methods in the Bru class to use Object.keys for improved resilience against user-defined properties. - Added tests to ensure deletion methods function correctly even when properties are shadowed. - Enhanced clarity in draft merge tests by standardizing keyboard shortcuts for selecting all text. * fix(tests): correct variable naming and improve environment panel interactions - Updated test cases to reflect the correct variable name 'wasSaved' instead of 'was-saved'. - Modified environment panel interaction to remove forced click, enhancing test reliability. - Added a utility function to close the environment panel in safe mode tests for better readability and maintainability. * feat(runtime): enhance variable management and cleanup logic - Introduced a new method to clear script-driven variable baselines for collections, ensuring no stale data leaks into new requests. - Updated the handling of runtime variables in the Bru class to track changes with a new dirty flag, improving state management. - Refactored the application of script environment variables to prevent direct mutations, ensuring immutability and cleaner state updates. - Enhanced the response handling in the script runtime to conditionally include runtime variables based on their dirty state. * feat(variables): improve request handling and state management for collections and environments - Enhanced event listeners to clear global environment baselines on both 'testrun-started' and 'request-queued' events, preventing stale data issues. - Updated global environment and collection variable update events to ignore stale updates from superseded requests, ensuring accurate state management. - Refactored the Bru class to optimize variable management, including checks for existing keys before updates and deletions, improving performance and reliability. - Introduced request UID tracking to maintain consistency across variable updates during concurrent requests. * refactor(collections): update action to clear script variable baselines - Replaced the dispatch of `_clearScriptGlobalEnvBaseline` with `clearScriptVariableBaselines` to improve clarity and maintainability in the Redux action handling for collections. * feat(environments): introduce getScriptModifiedKeys utility for improved variable management - Added a new utility function, `getScriptModifiedKeys`, to identify keys modified by scripts relative to a baseline, enhancing the handling of data types during variable updates. - Updated the application of script environment variables to prevent overwriting user-defined draft changes during no-op writes. - Refactored related logic in collections and global environments to utilize the new utility, ensuring accurate state management and improved clarity in the Redux slices. * refactor(global-environments): simplify active UID resolution logic in updateGlobalEnvironments reducer - Streamlined the logic for resolving the active global environment UID by consolidating conditions into a more concise format. - Removed outdated comments to enhance code clarity and maintainability. - Updated tests to ensure accurate resolution of active UIDs based on incoming environment data. * refactor(tests): remove outdated comments and streamline environment variable row expectations - Eliminated comments related to state sync and inference issues to enhance code clarity. - Adjusted expectations for environment variable row rendering in tests, focusing on relevant assertions. * feat(tests): add comprehensive tests for secret variable persistence in environments - Introduced new test cases to validate the preservation of secret variables when updated via scripts in both collection and global environments. - Implemented tests to ensure that secret values are encrypted before storage and can be correctly decrypted for subsequent requests. - Added fixtures and environment configurations for testing secret variable behavior in both bru and yml formats. - Enhanced utility functions for managing environment configurations and interactions within the test suite. * feat(tests): enhance environment variable tests and add global variable persistence - Updated MultiLineEditor and SingleLineEditor components to include data-testid for secret reveal toggle buttons, improving testability. - Introduced new tests for global environment variable persistence, ensuring non-secret variables survive app restarts and are correctly interpolated. - Added fixtures for workspace and collections to support the new global variable tests, enhancing the overall test coverage for environment management. - Refactored utility functions to streamline interactions with environment variables in tests. * refactor(collections): optimize environment and collection saving logic - Simplified the persistence logic for active environments by directly constructing the environment copy, reducing unnecessary cloning. - Updated the collection saving process to utilize the fresh collection state, ensuring accurate data is saved without drafts. - Enhanced error handling during the save operations to improve reliability and maintainability. * feat(tests): implement collection variable persistence tests - Added multiple test cases to validate the persistence of collection variables across app restarts, including typed values and multiple variable settings. - Created new fixtures for collection variables to support the tests, ensuring accurate simulation of variable management scenarios. - Enhanced the existing collection management logic to ensure that variables are correctly set and deleted as per the test requirements. * feat(tests): add tests for typed global environment variable persistence - Introduced a new test suite to validate the persistence of typed global environment variables across app restarts, ensuring correct data types are maintained. - Created a fixture for the test collection to simulate setting global variables with various data types, including number, boolean, object, and string. - Enhanced the test logic to verify that the environment file reflects the correct state before and after application restarts. * fix(tests): update request tab close interaction in variable persistence tests * fix(tests): improve hover interaction for collection actions in runner tests - Updated the hover logic for revealing collection actions to handle sidebar re-renders more reliably. - Replaced one-shot hover with a polling mechanism to ensure visibility of actions, enhancing test stability. * refactor(environments): streamline environment variable handling and remove ephemeral metadata logic - Simplified the comparison logic for environment variables by removing unnecessary ephemeral metadata handling. - Updated the saving process to directly use the environment variables without stripping metadata, enhancing clarity and maintainability. - Removed outdated comments and unused utility functions related to ephemeral variables, improving code cleanliness. * fix(ipc): update persistActiveEnvironment to handle requestUid for stale updates - Modified the persistActiveEnvironment function to accept a requestUid parameter, allowing for better management of stale updates. - Enhanced the logic to prevent disk writes for superseded requests, improving data integrity during environment persistence. * refactor(bru): remove unused envName variable in deleteAllEnvVars method - Eliminated the envName variable from the deleteAllEnvVars method, simplifying the logic for deleting environment variables. - Cleaned up the method by removing unnecessary checks related to the envName, enhancing code clarity and maintainability. * fix(bru): prevent deletion of internal __name__ variable in deleteEnvVar method - Added a check in the deleteEnvVar method to silently ignore attempts to delete the internal __name__ variable, preserving its integrity. - Updated tests to verify that the __name__ variable remains unchanged when deleteEnvVar is called with this key. - Enhanced runtime tests to ensure compatibility with QuickJS by confirming that environment variables set with persist options are handled correctly. * feat(tests): add legacy support test for environment variable persistence - Introduced a new test suite to validate that the legacy argument for setting environment variables with persistence is still functional in version 4. - Created a fixture to simulate the legacy syntax, ensuring that the variable is correctly persisted on disk without errors. - Enhanced integration testing to confirm that the legacy behavior aligns with the current implementation, maintaining backward compatibility. * test(tests): enhance legacy environment variable persistence tests for safe and developer modes - Updated the test suite for `bru.setEnvVar` to verify that the legacy persist flag is correctly handled in both safe and developer modes. - Introduced a helper function to streamline the verification process and ensure consistent behavior across different execution contexts. - Adjusted the test logic to reset the environment state between mode switches, maintaining test integrity. - Improved hover interaction in multiple persistent variable tests to ensure reliable visibility of actions during execution. * fix(EnvironmentVariablesTable): correct change detection logic for environment variables - Updated the logic for determining changes in environment variables to compare active current and saved values instead of previously used variablesToSave and savedValues. - This change ensures accurate detection of modifications before saving, improving user feedback when no changes are present. * test(tests): enhance secret variable persistence tests for environment configurations - Updated the test suites for `bru.setEnvVar` and `bru.setGlobalEnvVar` to include interactions with the secrets tab, ensuring visibility of secret variables during various states of the environment. - Added checks to confirm that the eye toggle functionality correctly reveals the values of secret variables after setting and overwriting them. - Improved test coverage for secret variable persistence, validating that the expected values are displayed in both collection and global environment contexts.
…fix/code-injection-vulnerability
…/abhishekp-bruno/bruno into fix/code-injection-vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JIRA - https://usebruno.atlassian.net/browse/BRU-3546
Description
Bruno didn't validate the state returned on the OAuth2 callback, and sent none at all when the user left it blank — leaving auth flows open to CSRF / code injection.
Changes:
Always issue a state — random when unset, or a random nonce appended to the user's value so it can't be predicted/replayed.
Validate the returned state against the issued one and abort on mismatch, in both the embedded-window and system-browser.
Covers authorization code + implicit grants (query params and hash fragments).
Contribution Checklist:
Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.
Publishing to New Package Managers
Please see here for more information.
Summary by CodeRabbit
Summary of Release Notes
New Features
stateprotection by using a cryptographically random “effective state” and validating it for both authorization-code and implicit flows.Bug Fixes
stateis missing or incorrect.Tests