Passkeys: Fix RP ID validation

This commit is contained in:
varjolintu 2024-03-11 16:39:40 +02:00 committed by Jonathan White
parent 8a4787278d
commit 5883f49f37
3 changed files with 14 additions and 10 deletions

View File

@ -630,7 +630,7 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
}
const auto excludeCredentials = credentialCreationOptions["excludeCredentials"].toArray();
const auto rpId = publicKeyOptions["rp"]["id"].toString();
const auto rpId = credentialCreationOptions["rp"].toObject()["id"].toString();
const auto timeout = publicKeyOptions["timeout"].toInt();
const auto username = credentialCreationOptions["user"].toObject()["name"].toString();
const auto user = credentialCreationOptions["user"].toObject();

View File

@ -109,14 +109,17 @@ int PasskeyUtils::validateRpId(const QJsonValue& rpIdValue, const QString& effec
return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;
}
if (rpIdValue.isUndefined()) {
return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;
}
if (effectiveDomain.isEmpty()) {
return ERROR_PASSKEYS_ORIGIN_NOT_ALLOWED;
}
// The RP ID defaults to being the caller's origin's effective domain unless the caller has explicitly set
// options.rp.id
if (rpIdValue.isUndefined() || rpIdValue.isNull()) {
*result = effectiveDomain;
return PASSKEYS_SUCCESS;
}
const auto rpId = rpIdValue.toString();
if (!isRegistrableDomainSuffix(rpId, effectiveDomain)) {
return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;

View File

@ -573,17 +573,18 @@ void TestPasskeys::testRpIdValidation()
QString result;
auto allowedIdentical = passkeyUtils()->validateRpId(QString("example.com"), QString("example.com"), &result);
QCOMPARE(result, QString("example.com"));
QVERIFY(allowedIdentical == 0);
QVERIFY(allowedIdentical == PASSKEYS_SUCCESS);
result.clear();
auto allowedSubdomain = passkeyUtils()->validateRpId(QString("example.com"), QString("www.example.com"), &result);
QCOMPARE(result, QString("example.com"));
QVERIFY(allowedSubdomain == 0);
QVERIFY(allowedSubdomain == PASSKEYS_SUCCESS);
result.clear();
auto emptyRpId = passkeyUtils()->validateRpId({}, QString("example.com"), &result);
QCOMPARE(result, QString(""));
QVERIFY(emptyRpId == ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH);
QJsonValue emptyValue;
auto emptyRpId = passkeyUtils()->validateRpId(emptyValue, QString("example.com"), &result);
QCOMPARE(result, QString("example.com"));
QVERIFY(emptyRpId == PASSKEYS_SUCCESS);
result.clear();
auto ipRpId = passkeyUtils()->validateRpId(QString("127.0.0.1"), QString("example.com"), &result);