From 1f1b2bd3860ce063af21a67341e912ef1bb53ce2 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Thu, 31 Aug 2023 01:52:00 +0200 Subject: [PATCH] fix(oauth2): Fix crash in rolesClaim extraction This patch adds a try-catch around the rolesClaim extraction to prevent full crashes of HedgeDoc when a user profile is read, that doesn't contain any such claim, which can happen with some IdPs, like Keycloak, that omit the attribute when it's empty. As a result an authorized user would crash the entire server, which is definitely unintended behaviour. The simply try-catch should resolve the issue and make sure that roles is always defined even if the `extractProfileAttribute` call fails. Signed-off-by: Sheogorath --- lib/web/auth/oauth2/index.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js index e7c93067..2cdcc349 100644 --- a/lib/web/auth/oauth2/index.js +++ b/lib/web/auth/oauth2/index.js @@ -75,7 +75,13 @@ function checkAuthorization (data, done) { logger.error('oauth2: "accessRole" is configured, but "rolesClaim" is missing from the config. Can\'t check group membership!') } else { // parse and check role data - const roles = extractProfileAttribute(data, config.oauth2.rolesClaim) + let roles = [] + try { + roles = extractProfileAttribute(data, config.oauth2.rolesClaim) + } catch (err) { + logger.warn(`oauth2: failed to extract rolesClaim '${config.oauth2.rolesClaim}' from user profile.`) + return done('Permission denied', null) + } if (!roles) { logger.error('oauth2: "accessRole" is configured, but user profile doesn\'t contain roles attribute. Permission denied') return done('Permission denied', null)