diff options
author | Joern Schneeweisz <jschneeweisz@gitlab.com> | 2021-11-19 01:44:06 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2021-11-19 01:44:06 +0300 |
commit | 4f2414218242a929b032de33d4f5cd9c727dbabb (patch) | |
tree | 6c993c43715f11e053a887c8f55881f145ac6633 | |
parent | b0a0d337d5870792760c5f4fc8291473425285a0 (diff) |
Escape user supplied code before inserting as a POST parameter
-rw-r--r-- | internal/auth/auth.go | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index e6b6f751..23a2fc68 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -36,7 +36,6 @@ const ( apiURLProjectTemplate = "%s/api/v4/projects/%d/pages_access" authorizeURLTemplate = "%s/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&state=%s&scope=%s" tokenURLTemplate = "%s/oauth/token" - tokenContentTemplate = "client_id=%s&client_secret=%s&code=%s&grant_type=authorization_code&redirect_uri=%s" callbackPath = "/auth" authorizeProxyTemplate = "%s?domain=%s&state=%s" authSessionMaxAge = 60 * 10 // 10 minutes @@ -378,10 +377,19 @@ func (a *Auth) fetchAccessToken(ctx context.Context, code string) (tokenResponse token := tokenResponse{} // Prepare request - url := fmt.Sprintf(tokenURLTemplate, a.internalGitlabServer) - content := fmt.Sprintf(tokenContentTemplate, a.clientID, a.clientSecret, code, a.redirectURI) - req, err := http.NewRequestWithContext(ctx, "POST", url, strings.NewReader(content)) + fetchURL, err := url.Parse(fmt.Sprintf(tokenURLTemplate, a.internalGitlabServer)) + if err != nil { + return token, err + } + + content := url.Values{} + content.Set("client_id", a.clientID) + content.Set("client_secret", a.clientSecret) + content.Set("code", code) + content.Set("grant_type", "authorization_code") + content.Set("redirect_uri", a.redirectURI) + req, err := http.NewRequestWithContext(ctx, "POST", fetchURL.String(), strings.NewReader(content.Encode())) if err != nil { return token, err } |