From 4078b2288702346262c9ef2221fe4f47764101a1 Mon Sep 17 00:00:00 2001 From: Blake Erickson Date: Tue, 12 May 2020 18:11:22 -0600 Subject: [PATCH] FIX: Handle missing provider return sso url This commit prevents a 500 error from occurring if someone is trying to setup their discourse instance as a sso provider and they don't pass in a `return_sso_url` in their payload. --- lib/single_sign_on_provider.rb | 1 + spec/requests/session_controller_spec.rb | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/lib/single_sign_on_provider.rb b/lib/single_sign_on_provider.rb index d97ecdf6c88..a626ffcf269 100644 --- a/lib/single_sign_on_provider.rb +++ b/lib/single_sign_on_provider.rb @@ -19,6 +19,7 @@ class SingleSignOnProvider < SingleSignOn decoded = Base64.decode64(parsed["sso"]) decoded_hash = Rack::Utils.parse_query(decoded) + raise ParseError unless decoded_hash.key? 'return_sso_url' @return_sso_url = decoded_hash['return_sso_url'] end diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb index 49b4d0943ff..dd44d52970e 100644 --- a/spec/requests/session_controller_spec.rb +++ b/spec/requests/session_controller_spec.rb @@ -1055,6 +1055,13 @@ RSpec.describe SessionController do expect(response.body).to eq(I18n.t("sso.missing_secret")) end + it "returns a 422 if no return_sso_url" do + SiteSetting.sso_provider_secrets = "abcdefghij" + sso = SingleSignOnProvider.new + get "/session/sso_provider?sso=asdf&sig=abcdefghij" + expect(response.status).to eq(422) + end + it "successfully redirects user to return_sso_url when the user is logged in" do sign_in(@user)