Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: invalid numerics notation in session data #3722

Closed
wants to merge 4 commits into from
Closed

fix: invalid numerics notation in session data #3722

wants to merge 4 commits into from

Conversation

nekiro
Copy link

@nekiro nekiro commented Feb 23, 2024
edited
Loading

This PR fixes invalid numerics notation in stored session data.

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

Hydra (as of not sure which version, it worked fine on 1.8.5 though) incorrectly converts big (larger than 999999) numeric values into exponential notation.
This breaks the compatibility with older hydra versions and is in fact incorrect.

Playground to test this change:
https://go.dev/play/p/NDYofwinU4M

Reference:
https://groups.google.com/g/golang-nuts/c/Fd5jUfHxbh8

@CLAassistant
Copy link

CLAassistant commented Feb 23, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@nekiro nekiro changed the title fix: Invalid numerics notation in session data fix: invalid numerics notation in session data Feb 23, 2024
@codecov Codecov
Copy link

codecov bot commented Feb 23, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 76.23%. Comparing base (50301e0) to head (d6e4b57).
Report is 25 commits behind head on master.

Current head d6e4b57 differs from pull request most recent head fa2ed97

Please upload reports for the commit fa2ed97 to get more accurate results.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3722      +/-   ##
==========================================
- Coverage   76.39%   76.23%   -0.17%     
==========================================
  Files         135      134       -1     
  Lines       10283    10211      -72     
==========================================
- Hits         7856     7784      -72     
- Misses       1907     1910       +3     
+ Partials      520      517       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

aeneasr
aeneasr requested changes Mar 5, 2024
View reviewed changes
consent/handler.go Outdated
@@ -745,6 +745,7 @@ func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ

var p flow.AcceptOAuth2ConsentRequest
d := json.NewDecoder(r.Body)
d.UseNumber()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only fix it for this specific endpoint. Another way of solving this is to override MarshalJSON of flow.AcceptOAuth2ConsentRequest and similar methods.

Copy link
Author

@nekiro nekiro Mar 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think other "endpoints" have problems, this issue is specifically with the data saved into session. I didn't notice other places where this would be an issue.

Copy link
Author

@nekiro nekiro May 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, I added small helper and replaced occurrences of decode in several handlers. I'm not sure how can I use MarshalJSON methods with this change as there is only call to json.Marshal there.
I'm also not really a go developer, so I'm not used to work with this language.

@nekiro nekiro requested a review from alnr as a code owner May 7, 2024 10:00
@nekiro
Copy link
Author

nekiro commented Aug 1, 2024

The issue seems to be deeper, in fosite to be exact.
Nonetheless this type of number notation is valid.

@nekiro nekiro closed this Aug 1, 2024
@nekiro nekiro deleted the fix/invalid-numerics-notation branch August 1, 2024 09:05
@aeneasr aeneasr mentioned this pull request Aug 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr requested changes

@hperl hperl Awaiting requested review from hperl hperl is a code owner

@alnr alnr Awaiting requested review from alnr alnr is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nekiro @CLAassistant @aeneasr