diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/exception/WhitelistScopesException.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/exception/WhitelistScopesException.java
new file mode 100644
index 000000000..9b662faaf
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/exception/WhitelistScopesException.java
@@ -0,0 +1,25 @@
+/**
+ *
+ *
+ * Copyright (c) 2010-2023 Gresham Technologies plc. All rights reserved.
+ *
+ *
+ */
+package org.mitre.openid.connect.exception;
+
+/**
+ * @author hwsmith
+ */
+public class WhitelistScopesException extends Exception {
+
+ private final String invalidScope;
+
+ public WhitelistScopesException(String invalidScope) {
+ this.invalidScope = invalidScope;
+ }
+
+ public String getMessage() {
+ return "The scope " + invalidScope + " is invalid as it contains non-alphabet characters";
+ }
+
+}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
index 969a5febc..932edea2f 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
@@ -22,7 +22,9 @@ package org.mitre.openid.connect.web;
import java.security.Principal;
import java.util.Collection;
+import java.util.Set;
+import org.mitre.openid.connect.exception.WhitelistScopesException;
import org.mitre.openid.connect.model.WhitelistedSite;
import org.mitre.openid.connect.service.WhitelistedSiteService;
import org.mitre.openid.connect.view.HttpCodeView;
@@ -56,6 +58,7 @@ import com.google.gson.JsonParser;
public class WhitelistAPI {
public static final String URL = RootController.API_URL + "/whitelist";
+ private static final String characterMatcher = "[a-zA-Z]+";
@Autowired
private WhitelistedSiteService whitelistService;
@@ -100,7 +103,12 @@ public class WhitelistAPI {
try {
json = parser.parse(jsonString).getAsJsonObject();
whitelist = gson.fromJson(json, WhitelistedSite.class);
-
+ validateWhitelistScopes(whitelist.getAllowedScopes());
+ } catch (WhitelistScopesException e) {
+ logger.error("addNewWhitelistedSite failed due to WhitelistException. {}", e.getMessage());
+ m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
+ m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Could not save new whitelisted site. The server encountered a whitelist exception. Contact a system administrator for assistance.");
+ return JsonErrorView.VIEWNAME;
} catch (JsonParseException e) {
logger.error("addNewWhitelistedSite failed due to JsonParseException", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
@@ -137,7 +145,12 @@ public class WhitelistAPI {
try {
json = parser.parse(jsonString).getAsJsonObject();
whitelist = gson.fromJson(json, WhitelistedSite.class);
-
+ validateWhitelistScopes(whitelist.getAllowedScopes());
+ } catch (WhitelistScopesException e) {
+ logger.error("addNewWhitelistedSite failed due to WhitelistScopeException. {}", e.getMessage());
+ m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
+ m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Could not save new whitelisted site. The server encountered a whitelist scope exception. Contact a system administrator for assistance.");
+ return JsonErrorView.VIEWNAME;
} catch (JsonParseException e) {
logger.error("updateWhitelistedSite failed due to JsonParseException", e);
m.put(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
@@ -167,6 +180,14 @@ public class WhitelistAPI {
}
}
+ private void validateWhitelistScopes(Set scopes) throws WhitelistScopesException {
+ for (String s : scopes) {
+ if (!s.matches(characterMatcher)) {
+ throw new WhitelistScopesException(s);
+ }
+ }
+ }
+
/**
* Delete a whitelisted site
*