Fix IPV6 regex used to check redirect_uri

JonathanHuot · JonathanHuot · commit 5d85c6199869 · 2022-09-06T21:56:40.000+02:00
diff --git a/oauthlib/uri_validate.py b/oauthlib/uri_validate.py
@@ -66,7 +66,7 @@
 )
 
 #   IPv6address
-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
 
 #   IPvFuture     = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
 IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals()
diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py
@@ -1,4 +1,4 @@
-import oauthlib
+import unittest
 from oauthlib.uri_validate import is_absolute_uri
 
 from tests.unittest import TestCase
@@ -7,7 +7,6 @@
 class UriValidateTest(TestCase):
 
     def test_is_absolute_uri(self):
-
         self.assertIsNotNone(is_absolute_uri('schema://example.com/path'))
         self.assertIsNotNone(is_absolute_uri('https://example.com/path'))
         self.assertIsNotNone(is_absolute_uri('https://example.com'))
@@ -17,16 +16,60 @@ def test_is_absolute_uri(self):
         self.assertIsNotNone(is_absolute_uri('http://example.com'))
         self.assertIsNotNone(is_absolute_uri('http://example.com/path'))
         self.assertIsNotNone(is_absolute_uri('http://example.com:80/path'))
-        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/'))
+
+    def test_query(self):
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana'))
+
+    def test_fragment_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana'))
+
+    def test_combined_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo'))
+
+    def test_custom_scheme(self):
+        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://'))
+
+    def test_ipv6_bracket(self):
         self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path'))
         self.assertIsNotNone(is_absolute_uri('http://[::1]/path'))
         self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path'))
         self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path'))
         self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path'))
+
+    @unittest.skip("ipv6 edge-cases not supported")
+    def test_ipv6_edge_cases(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF'))
+        self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path'))
+        self.assertIsNotNone(is_absolute_uri('http://::'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102'))
+
+    @unittest.skip("ipv6 dual ipv4 not supported")
+    def test_ipv6_dual(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8'))
+
+    def test_ipv4(self):
         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
         self.assertIsNotNone(is_absolute_uri('http://127.1:38432/'))
 
+    def test_failures(self):
         self.assertIsNone(is_absolute_uri('http://example.com:notaport/path'))
         self.assertIsNone(is_absolute_uri('wrong'))
         self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
@@ -35,7 +78,7 @@ def test_is_absolute_uri(self):
     def test_recursive_regex(self):
         from datetime import datetime
         t0 = datetime.now()
-        self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path'))
+        is_absolute_uri('http://[::::::::::::::::::::::::::]/path')
         t1 = datetime.now()
         spent = t1 - t0
         self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected")

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@`
`66`	`66`	`)`
`67`	`67`
`68`	`68`	`# IPv6address`
`69`		`-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"`
	`69`	`+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"`
`70`	`70`
`71`	`71`	`# IPvFuture = "v" 1HEXDIG "." 1( unreserved / sub-delims / ":" )`
`72`	`72`	`IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s \| %(sub_delims)s \| : )+" % locals()`