From 4e834896a1c68cd536971dcfff7c3afbcff637ae Mon Sep 17 00:00:00 2001
From: jwijenbergh <jeroenwijenbergh@protonmail.com>
Date: Mon, 17 Oct 2022 10:51:35 +0200
Subject: OAuth: Implement Authorization Server Issuer Identification (ISS)

- This patch implements ISS checking according to RFC 9207
https://datatracker.ietf.org/doc/html/rfc9207

- This tries to prevent so called "mix-up" attacks where the client is
fooled into authorizing with an honest AS through a malicious entity
---
 internal/util/util.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'internal/util/util.go')

diff --git a/internal/util/util.go b/internal/util/util.go
index f9e2f7b..a8abd80 100644
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"path"
 	"strings"
 	"time"
 
@@ -23,6 +24,11 @@ func EnsureValidURL(s string) (string, error) {
 	if parsedURL.Scheme == "" {
 		parsedURL.Scheme = "https"
 	}
+	if parsedURL.Path != "" {
+		// Clean the path
+		// https://pkg.go.dev/path#Clean
+		parsedURL.Path = path.Clean(parsedURL.Path)
+	}
 	return parsedURL.String(), nil
 }
 
-- 
cgit v1.2.3