* [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation
@ 2025-03-18 13:59 Christoph Heiss
2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Christoph Heiss @ 2025-03-18 13:59 UTC (permalink / raw)
To: pmg-devel
First and foremost, fixes #6214 [0].
The second patch just adds some more validation on the UI side of
things. While not strictly related to #6214, it's a nice touch.
[0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214
pmg-api:
Christoph Heiss (1):
auth: oidc: fix pattern for `client-id` and `client-key`
src/PMG/Auth/OIDC.pm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
proxmox-widget-toolkit:
Christoph Heiss (1):
window: AuthEditOpenId: add validation for some required fields
src/Utils.js | 4 ++++
src/window/AuthEditOpenId.js | 8 ++++++++
2 files changed, 12 insertions(+)
--
2.48.1
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key`
2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
@ 2025-03-18 13:59 ` Christoph Heiss
2025-06-26 10:46 ` [pmg-devel] applied: " Stoiko Ivanov
2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss
2025-05-16 10:13 ` [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
2 siblings, 1 reply; 6+ messages in thread
From: Christoph Heiss @ 2025-03-18 13:59 UTC (permalink / raw)
To: pmg-devel
Fixes #6214 [0].
As per RFC 6749 Appendix A [1], `client-id` and `client-key` can contain
any printable ascii character, i.e. anything in the (inclusive) range
0x20-0x7E.
Reflect that in the pattern.
[0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214
[1] https://www.rfc-editor.org/rfc/rfc6749#appendix-A
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
src/PMG/Auth/OIDC.pm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
index b2b1a05..5f797d1 100755
--- a/src/PMG/Auth/OIDC.pm
+++ b/src/PMG/Auth/OIDC.pm
@@ -61,18 +61,22 @@ sub properties {
maxLength => 256,
pattern => qr/^(https?):\/\/([a-zA-Z0-9.-]+)(:[0-9]{1,5})?(\/[^\s]*)?$/,
},
+ # See RFC 6749, Appendix A for the allowed pattern for `client-id` and
+ # `client-key`.
+ # https://www.rfc-editor.org/rfc/rfc6749#appendix-A
+ # tl;dr: anything ASCII in the (inclusive) range 0x20-0x7E
'client-id' => {
description => "OpenID Connect Client ID",
type => 'string',
maxLength => 256,
- pattern => qr/^[a-zA-Z0-9._:-]+$/,
+ pattern => qr/^[\x20-\x7E]+$/,
},
'client-key' => {
description => "OpenID Connect Client Key",
type => 'string',
optional => 1,
maxLength => 256,
- pattern => qr/^[a-zA-Z0-9._:-]+$/,
+ pattern => qr/^[\x20-\x7E]+$/,
},
autocreate => {
description => "Automatically create users if they do not exist.",
--
2.48.1
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields
2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss
@ 2025-03-18 13:59 ` Christoph Heiss
2025-06-26 10:47 ` Stoiko Ivanov
2025-05-16 10:13 ` [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
2 siblings, 1 reply; 6+ messages in thread
From: Christoph Heiss @ 2025-03-18 13:59 UTC (permalink / raw)
To: pmg-devel
For the `client-id` and `client-secret` OIDC-specific fields, allow the
format specified in RFC 6749, Appendix A [0].
As per that, the OIDC-specific `client-id` and `client-key` can contain
any printable ascii character, i.e. anything in the (inclusive) range
0x20-0x7E.
For the issuer URL, use our existing URL validation regex, while the
realm name itself must follow authentication realm naming scheme.
[0] https://www.rfc-editor.org/rfc/rfc6749#appendix-A
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
src/Utils.js | 4 ++++
src/window/AuthEditOpenId.js | 8 ++++++++
2 files changed, 12 insertions(+)
diff --git a/src/Utils.js b/src/Utils.js
index c873c85..e17bee8 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -1545,6 +1545,10 @@ utilities: {
// Same as SAFE_ID_REGEX in proxmox-schema
me.safeIdRegex = /^(?:[A-Za-z0-9_][A-Za-z0-9._\\-]*)$/;
+
+ me.printableAsciiRegex = /^[\x20-\x7E]+$/;
+
+ me.authRealmNameRegex = /^[A-Za-z][A-Za-z0-9.\-_]+$/;
},
});
diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js
index ed0a6dc..5939516 100644
--- a/src/window/AuthEditOpenId.js
+++ b/src/window/AuthEditOpenId.js
@@ -23,6 +23,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
name: 'issuer-url',
fieldLabel: gettext('Issuer URL'),
allowBlank: false,
+ regex: Proxmox.Utils.httpUrlRegex,
+ regexText: gettext('Must be a valid URL'),
},
],
@@ -36,6 +38,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
},
fieldLabel: gettext('Realm'),
allowBlank: false,
+ regex: Proxmox.Utils.authRealmNameRegex,
+ regexText: gettext('Must be a valid realm name'),
},
{
xtype: 'proxmoxcheckbox',
@@ -57,6 +61,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
fieldLabel: gettext('Client ID'),
name: 'client-id',
allowBlank: false,
+ regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A
+ regexText: gettext('Must be a valid OIDC Client ID'),
},
{
xtype: 'proxmoxtextfield',
@@ -65,6 +71,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
deleteEmpty: '{!isCreate}',
},
name: 'client-key',
+ regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A
+ regexText: gettext('Must be a valid OIDC Client Secret'),
},
],
--
2.48.1
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation
2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss
2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss
@ 2025-05-16 10:13 ` Christoph Heiss
2 siblings, 0 replies; 6+ messages in thread
From: Christoph Heiss @ 2025-05-16 10:13 UTC (permalink / raw)
To: pmg-devel
Ping, still applies.
On Tue Mar 18, 2025 at 2:59 PM CET, Christoph Heiss wrote:
> First and foremost, fixes #6214 [0].
>
> The second patch just adds some more validation on the UI side of
> things. While not strictly related to #6214, it's a nice touch.
>
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214
>
> pmg-api:
>
> Christoph Heiss (1):
> auth: oidc: fix pattern for `client-id` and `client-key`
>
> src/PMG/Auth/OIDC.pm | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> proxmox-widget-toolkit:
>
> Christoph Heiss (1):
> window: AuthEditOpenId: add validation for some required fields
>
> src/Utils.js | 4 ++++
> src/window/AuthEditOpenId.js | 8 ++++++++
> 2 files changed, 12 insertions(+)
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] applied: [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key`
2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss
@ 2025-06-26 10:46 ` Stoiko Ivanov
0 siblings, 0 replies; 6+ messages in thread
From: Stoiko Ivanov @ 2025-06-26 10:46 UTC (permalink / raw)
To: Christoph Heiss; +Cc: pmg-devel
applied this one after skimming through the RFC - thanks for the patch!
On Tue, 18 Mar 2025 14:59:17 +0100
Christoph Heiss <c.heiss@proxmox.com> wrote:
> Fixes #6214 [0].
>
> As per RFC 6749 Appendix A [1], `client-id` and `client-key` can contain
> any printable ascii character, i.e. anything in the (inclusive) range
> 0x20-0x7E.
>
> Reflect that in the pattern.
>
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214
> [1] https://www.rfc-editor.org/rfc/rfc6749#appendix-A
>
> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> ---
> src/PMG/Auth/OIDC.pm | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
> index b2b1a05..5f797d1 100755
> --- a/src/PMG/Auth/OIDC.pm
> +++ b/src/PMG/Auth/OIDC.pm
> @@ -61,18 +61,22 @@ sub properties {
> maxLength => 256,
> pattern => qr/^(https?):\/\/([a-zA-Z0-9.-]+)(:[0-9]{1,5})?(\/[^\s]*)?$/,
> },
> + # See RFC 6749, Appendix A for the allowed pattern for `client-id` and
> + # `client-key`.
> + # https://www.rfc-editor.org/rfc/rfc6749#appendix-A
> + # tl;dr: anything ASCII in the (inclusive) range 0x20-0x7E
> 'client-id' => {
> description => "OpenID Connect Client ID",
> type => 'string',
> maxLength => 256,
> - pattern => qr/^[a-zA-Z0-9._:-]+$/,
> + pattern => qr/^[\x20-\x7E]+$/,
> },
> 'client-key' => {
> description => "OpenID Connect Client Key",
> type => 'string',
> optional => 1,
> maxLength => 256,
> - pattern => qr/^[a-zA-Z0-9._:-]+$/,
> + pattern => qr/^[\x20-\x7E]+$/,
> },
> autocreate => {
> description => "Automatically create users if they do not exist.",
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields
2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss
@ 2025-06-26 10:47 ` Stoiko Ivanov
0 siblings, 0 replies; 6+ messages in thread
From: Stoiko Ivanov @ 2025-06-26 10:47 UTC (permalink / raw)
To: Christoph Heiss; +Cc: pmg-devel
On Tue, 18 Mar 2025 14:59:18 +0100
Christoph Heiss <c.heiss@proxmox.com> wrote:
> For the `client-id` and `client-secret` OIDC-specific fields, allow the
> format specified in RFC 6749, Appendix A [0].
>
> As per that, the OIDC-specific `client-id` and `client-key` can contain
> any printable ascii character, i.e. anything in the (inclusive) range
> 0x20-0x7E.
>
> For the issuer URL, use our existing URL validation regex, while the
> realm name itself must follow authentication realm naming scheme.
>
> [0] https://www.rfc-editor.org/rfc/rfc6749#appendix-A
>
> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
not a maintainer for widget-toolkit - but from looking through the RFC
consider this:
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> src/Utils.js | 4 ++++
> src/window/AuthEditOpenId.js | 8 ++++++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/src/Utils.js b/src/Utils.js
> index c873c85..e17bee8 100644
> --- a/src/Utils.js
> +++ b/src/Utils.js
> @@ -1545,6 +1545,10 @@ utilities: {
>
> // Same as SAFE_ID_REGEX in proxmox-schema
> me.safeIdRegex = /^(?:[A-Za-z0-9_][A-Za-z0-9._\\-]*)$/;
> +
> + me.printableAsciiRegex = /^[\x20-\x7E]+$/;
> +
> + me.authRealmNameRegex = /^[A-Za-z][A-Za-z0-9.\-_]+$/;
> },
> });
>
> diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js
> index ed0a6dc..5939516 100644
> --- a/src/window/AuthEditOpenId.js
> +++ b/src/window/AuthEditOpenId.js
> @@ -23,6 +23,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
> name: 'issuer-url',
> fieldLabel: gettext('Issuer URL'),
> allowBlank: false,
> + regex: Proxmox.Utils.httpUrlRegex,
> + regexText: gettext('Must be a valid URL'),
> },
> ],
>
> @@ -36,6 +38,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
> },
> fieldLabel: gettext('Realm'),
> allowBlank: false,
> + regex: Proxmox.Utils.authRealmNameRegex,
> + regexText: gettext('Must be a valid realm name'),
> },
> {
> xtype: 'proxmoxcheckbox',
> @@ -57,6 +61,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
> fieldLabel: gettext('Client ID'),
> name: 'client-id',
> allowBlank: false,
> + regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A
> + regexText: gettext('Must be a valid OIDC Client ID'),
> },
> {
> xtype: 'proxmoxtextfield',
> @@ -65,6 +71,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
> deleteEmpty: '{!isCreate}',
> },
> name: 'client-key',
> + regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A
> + regexText: gettext('Must be a valid OIDC Client Secret'),
> },
> ],
>
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-06-26 10:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss
2025-06-26 10:46 ` [pmg-devel] applied: " Stoiko Ivanov
2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss
2025-06-26 10:47 ` Stoiko Ivanov
2025-05-16 10:13 ` [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox