Fix validation for scopes parameter in create client endpoint
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• apaskulin
	Oct 1 2020, 8:25 PM

Description

Code: https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/master/src/Rest/Handler/RequestClient.php#L87-L95

To do: Have the parameter validation accept an array of values

Details

	Subject	Repo	Branch	Lines +/-
	Dynamic validation for the OAuth client creation REST endpoint scopes param	mediawiki/extensions/OAuth	master	+2 -5

Customize query in gerrit

Related Objects

Mentioned In: T261702: Acceptance testing for WikimediaApiPortalOAuth and updates to OAuth extension
T264215: Error on creating client

Event Timeline

• apaskulin created this task.Oct 1 2020, 8:25 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 1 2020, 8:25 PM

• apaskulin updated the task description. (Show Details)Oct 1 2020, 8:26 PM

Commenting out validation of specific values in the "scopes" parameter validation on my local allowed creation of oauth clients with arbitrary scope values (oarc_grants column in table oauth_registered_consumer):

			'scopes' => [
				self::PARAM_SOURCE => 'post',
/*
				ParamValidator::PARAM_TYPE => [
					'basic',
					'mwoauth-authonly',
					'mwoauth-authonlyprivate'
				],
*/
				ParamValidator::PARAM_REQUIRED => true,
				ParamValidator::PARAM_ISMULTI => true
			]

Here's the command I used to create a test client locally (as this was just against my local, there's no security risk in posting the cookie value):

curl -H "Accept: application/json" --cookie "default_session=fhbm9rbaou605bt72kam4rpgjfqdd3an;defaultToken=8cad97b3037b4aa511f3eb3fce275ca0;defaultUserID=1;defaultUserName=Admin" -X POST -F name=TestFromCurl322 -F description=foo -F [email protected] -F is_confidential=1 -F grant_types=authorization_code -F scopes=editprotected\|createeditmovepage -F callback_url=http://default.web.mw.localhost:8080/mediawiki/ http://default.web.mw.localhost:8080/mediawiki/rest.php/oauth2/client

• apaskulin triaged this task as High priority.Oct 1 2020, 8:31 PM

Do we need that parameter validation?

We already validate values here: https://gerrit.wikimedia.org/g/mediawiki/extensions/OAuth/+/5f7c531f9aab14065d361c58d756f368c11515da/src/Rest/Handler/RequestClient.php#118

Manual testing shows that including an invalid scope with the parameter validation removed strips the invalid scope but proceeds with client creation. So we don't allow creation of garbage clients, but this isn't terribly helpful to people who try to create a client with certain scopes then silently receive a client with different ones.

Maybe we should modify RequestClient::adjustScopes() to dynamically generate the list of allowed scopes based on ScopeRepository::getAllowedScopes()? That'd let us reject invalid scopes at the REST parameter validation level.

Note that the "basic" scope, which we hard-code forced inclusion of in RequestClient::adjustScopes(), IS included in the allowed scopes from ScopeRepository::getAllowedScopes(), at least for my local. Presumably, that's the same for production wikis and just about every wiki that doesn't have a need to do something really unusual.

• apaskulin assigned this task to BPirkle.Oct 1 2020, 8:50 PM

Change 631534 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/extensions/OAuth@master] Dynamic validation for the OAuth client creation REST endpoint scopes param

https://gerrit.wikimedia.org/r/631534

gerritbot added a project: Patch-For-Review.Oct 1 2020, 8:50 PM

Change 631534 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Dynamic validation for the OAuth client creation REST endpoint scopes param

https://gerrit.wikimedia.org/r/631534