In October, I reported two security issues to Okta’s auth0/nextjs-auth0 project, here and here. The latter bug, an oauth parameter injection, allows for a range of types of abuse, like scoping tokens for unintended services, setting redirect_uri and scope to arbitrary values to leak tokens, and so on.
The patch was simple enough, so I opened a PR:
diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts index 41af2dfe..f07046b8 100644 --- a/src/server/helpers/with-page-auth-required.ts +++ b/src/server/helpers/with-page-auth-required.ts @@ -196,7 +196,7 @@ export const appRouteHandlerFactory = : opts.returnTo; const { redirect } = await import("next/navigation.js"); redirect( - `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}` + `${config.loginUrl}${opts.returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}` ); } return handler(params);
All’s well that ends well, right? Obviously, no.
The PR, 3 weeks later, was closed by the maintainer, an auth0 (an Okta company) employee, with the following comment:
This change is superseded by #2413. This was done to ensure that commits are signed. Orignal contribution history has been preserved. Hence closing this PR now.
Hmm, let’s take a look at that PR:
auth0/nextjs-auth0 #2413
Hmm. That patch looks familiar. And who is Simen Olsen?
Pushing back on the attribution error, I replied:
... continue reading