github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-21 09:16:30 -05:00
Code Issues Projects Releases Packages Wiki Activity

fix(oauth2): Fix crash when profile fields are missing (#5850)

Browse source 
Co-authored-by: Lautaro Alvarez <lautaro@grava.digital>
This commit is contained in:
Lautaro Alvarez 2024-11-01 11:21:10 -03:00 committed by GitHub
parent 0f06adb9c7
commit 4fdab806a3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 17 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
lib/web/auth/oauth2/index.js
View file

@ -20,7 +20,7 @@ class OAuth2CustomStrategy extends Strategy {
userProfile (accessToken, done) { userProfile (accessToken, done) {
this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) { this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
let json let json, profile
if (err) { if (err) {
return done(new InternalOAuthError('Failed to fetch user profile', err)) return done(new InternalOAuthError('Failed to fetch user profile', err))
@ -33,7 +33,11 @@ class OAuth2CustomStrategy extends Strategy {
} }
checkAuthorization(json, done) checkAuthorization(json, done)
const profile = parseProfile(json) try {
profile = parseProfile(json)
} catch (ex) {
return done('Failed to identify user profile information', null)
}
profile.provider = 'oauth2' profile.provider = 'oauth2'
done(null, profile) done(null, profile)
@ -97,7 +101,7 @@ function checkAuthorization (data, done) {
OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) { OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) { this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
let json let json, profile
if (err) { if (err) {
return done(new InternalOAuthError('Failed to fetch user profile', err)) return done(new InternalOAuthError('Failed to fetch user profile', err))
@ -110,7 +114,11 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
} }
checkAuthorization(json, done) checkAuthorization(json, done)
const profile = parseProfile(json) try {
profile = parseProfile(json)
} catch (ex) {
return done('Failed to identify user profile information', null)
}
profile.provider = 'oauth2' profile.provider = 'oauth2'
done(null, profile) done(null, profile)

5
public/docs/release-notes.md
View file

@ -1,5 +1,10 @@
# Release Notes # Release Notes
## <i class="fa fa-tag"></i> 1.x.x <i class="fa fa-calendar-o"></i> UNRELEASED
### Bugfixes
- Fix a crash when cannot read user profile in Oauth
## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01 ## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01
This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use

20
yarn.lock
View file

@ -2938,26 +2938,6 @@ __metadata:
languageName: node languageName: node
linkType: hard linkType: hard
"body-parser@npm:1.20.2":
version: 1.20.2
resolution: "body-parser@npm:1.20.2"
dependencies:
bytes: "npm:3.1.2"
content-type: "npm:~1.0.5"
debug: "npm:2.6.9"
depd: "npm:2.0.0"
destroy: "npm:1.2.0"
http-errors: "npm:2.0.0"
iconv-lite: "npm:0.4.24"
on-finished: "npm:2.4.1"
qs: "npm:6.11.0"
raw-body: "npm:2.5.2"
type-is: "npm:~1.6.18"
unpipe: "npm:1.0.0"
checksum: 10/3cf171b82190cf91495c262b073e425fc0d9e25cc2bf4540d43f7e7bbca27d6a9eae65ca367b6ef3993eea261159d9d2ab37ce444e8979323952e12eb3df319a
languageName: node
linkType: hard
"body-parser@npm:1.20.3": "body-parser@npm:1.20.3":
version: 1.20.3 version: 1.20.3
resolution: "body-parser@npm:1.20.3" resolution: "body-parser@npm:1.20.3"