TestOAuth2InformationDisclosure tests that error messages don't leak sensitive information
(t *testing.T)
| 312 | |
| 313 | // TestOAuth2InformationDisclosure tests that error messages don't leak sensitive information |
| 314 | func TestOAuth2InformationDisclosure(t *testing.T) { |
| 315 | t.Parallel() |
| 316 | |
| 317 | client := coderdtest.New(t, nil) |
| 318 | _ = coderdtest.CreateFirstUser(t, client) |
| 319 | |
| 320 | ctx := t.Context() |
| 321 | |
| 322 | // Register a client for testing |
| 323 | clientName := fmt.Sprintf("test-client-%d", time.Now().UnixNano()) |
| 324 | regReq := codersdk.OAuth2ClientRegistrationRequest{ |
| 325 | RedirectURIs: []string{"https://example.com/callback"}, |
| 326 | ClientName: clientName, |
| 327 | } |
| 328 | regResp, err := client.PostOAuth2ClientRegistration(ctx, regReq) |
| 329 | require.NoError(t, err) |
| 330 | |
| 331 | t.Run("ErrorsDoNotLeakClientSecrets", func(t *testing.T) { |
| 332 | t.Parallel() |
| 333 | ctx := t.Context() |
| 334 | |
| 335 | // Try various invalid operations and ensure they don't leak the client secret |
| 336 | _, err := client.GetOAuth2ClientConfiguration(ctx, regResp.ClientID, "invalid-token") |
| 337 | require.Error(t, err) |
| 338 | |
| 339 | var httpErr *codersdk.Error |
| 340 | require.ErrorAs(t, err, &httpErr) |
| 341 | |
| 342 | // Error message should not contain any part of the client secret or registration token |
| 343 | errorText := strings.ToLower(httpErr.Message + httpErr.Detail) |
| 344 | require.NotContains(t, errorText, strings.ToLower(regResp.ClientSecret)) |
| 345 | require.NotContains(t, errorText, strings.ToLower(regResp.RegistrationAccessToken)) |
| 346 | }) |
| 347 | |
| 348 | t.Run("ErrorsDoNotLeakDatabaseDetails", func(t *testing.T) { |
| 349 | t.Parallel() |
| 350 | ctx := t.Context() |
| 351 | |
| 352 | // Try to access non-existent client |
| 353 | _, err := client.GetOAuth2ClientConfiguration(ctx, "non-existent-client-id", regResp.RegistrationAccessToken) |
| 354 | require.Error(t, err) |
| 355 | |
| 356 | var httpErr *codersdk.Error |
| 357 | require.ErrorAs(t, err, &httpErr) |
| 358 | |
| 359 | // Error message should not leak database schema information |
| 360 | errorText := strings.ToLower(httpErr.Message + httpErr.Detail) |
| 361 | require.NotContains(t, errorText, "sql") |
| 362 | require.NotContains(t, errorText, "database") |
| 363 | require.NotContains(t, errorText, "table") |
| 364 | require.NotContains(t, errorText, "row") |
| 365 | require.NotContains(t, errorText, "constraint") |
| 366 | }) |
| 367 | |
| 368 | t.Run("ErrorsAreConsistentForInvalidClients", func(t *testing.T) { |
| 369 | t.Parallel() |
| 370 | ctx := t.Context() |
| 371 |
nothing calls this directly
no test coverage detected