fix: Improved the LTI tool response parser and mitigated XSS vulnerabilities

KirillBorisovich · KirillBorisovich · commit b59a18aacab5 · 2026-04-26T11:33:18.000+03:00
diff --git a/HwProj.APIGateway/HwProj.APIGateway.API/Lti/Controllers/LtiDeepLinkingReturnController.cs b/HwProj.APIGateway/HwProj.APIGateway.API/Lti/Controllers/LtiDeepLinkingReturnController.cs
@@ -1,7 +1,9 @@
 using System;
-using System.Collections.Generic;
+using System.Linq;
 using System.IdentityModel.Tokens.Jwt;
+using System.Text.Encodings.Web;
 using System.Text.Json;
+using System.Text.Unicode;
 using System.Threading.Tasks;
 using HwProj.APIGateway.API.Lti.Configuration;
 using HwProj.APIGateway.API.Lti.Services;
@@ -25,12 +27,12 @@ ILtiKeyService ltiKeyService
     [AllowAnonymous]
     public async Task<IActionResult> OnDeepLinkingReturnAsync([FromForm] IFormCollection form)
     {
-        if (!form.ContainsKey("JWT"))
+        if (!form.TryGetValue("JWT", out var jwtValue))
         {
             return BadRequest("Missing JWT parameter");
         }
 
-        string tokenString = form["JWT"]!;
+        var tokenString = jwtValue.ToString();
         var handler = new JwtSecurityTokenHandler();
 
         if (!handler.CanReadToken(tokenString))
@@ -48,78 +50,87 @@ public async Task<IActionResult> OnDeepLinkingReturnAsync([FromForm] IFormCollec
         }
 
         var signingKeys = await ltiKeyService.GetKeysAsync(tool.JwksEndpoint);
+        JwtSecurityToken validatedToken;
 
         try
         {
             handler.ValidateToken(tokenString, new TokenValidationParameters
             {
                 ValidateIssuer = true,
-                ValidIssuer = unverifiedToken.Issuer,
-
+                ValidIssuer = tool.issuer,
                 ValidateAudience = true,
                 ValidAudience = ltiPlatformOptions.Value.Issuer,
-
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
-
                 ValidateIssuerSigningKey = true,
                 IssuerSigningKeys = signingKeys
-            }, out var validatedToken);
+            }, out var secToken);
+
+            validatedToken = (JwtSecurityToken)secToken;
         }
         catch (Exception ex)
         {
             return BadRequest($"Token signature validation failed: {ex.Message}");
         }
         
         const string itemsClaimName = "https://purl.imsglobal.org/spec/lti-dl/claim/content_items";
-        
-        var resultList = new List<object>();
 
-        if (unverifiedToken.Payload.TryGetValue(itemsClaimName, out var itemsObject))
-        {
-            var jsonString = itemsObject.ToString();
-            if (!string.IsNullOrEmpty(jsonString))
-            {
-                using var doc = JsonDocument.Parse(jsonString);
-                if (doc.RootElement.ValueKind == JsonValueKind.Array)
-                {
-                    foreach (var rawItem in doc.RootElement.EnumerateArray())
-                    {
-                        resultList.Add(rawItem.Clone().ToString());
-                    }
-                }
-            }
-        }
+        var itemsClaims = validatedToken.Claims
+            .Where(c => c.Type == itemsClaimName)
+            .Select(c => c.Value)
+            .ToList();
 
-        if (resultList.Count == 0)
+        if (itemsClaims.Count == 0)
         {
             return Content("<script>window.close();</script>", "text/html");
         }
 
-        var responsePayloadJson = JsonSerializer.Serialize(resultList);
+        string safeJsonPayload;
+        var options = new JsonSerializerOptions
+        {
+            Encoder = JavaScriptEncoder.Create(UnicodeRanges.All)
+        };
+
+        if (itemsClaims.Count == 1)
+        {
+            var singleParsed = JsonSerializer.Deserialize<JsonElement>(itemsClaims[0]);
+
+            safeJsonPayload = singleParsed.ValueKind ==JsonValueKind.Array ?
+                JsonSerializer.Serialize(singleParsed, options) : JsonSerializer.Serialize(new[] { singleParsed }, options);
+        }
+        else
+        {
+            var elements = itemsClaims
+                .Select(v => JsonSerializer.Deserialize<JsonElement>(v))
+                .ToList();
+            safeJsonPayload = JsonSerializer.Serialize(elements, options);
+        }
 
-        // language=html
         var htmlResponse = $@"
         <!DOCTYPE html>
         <html>
         <head><title>Processing LTI Return...</title></head>
-        <body>
-            <p>Задача выбрана. Возвращаемся в HwProj...</p>
+        <body
+            <script type=""application/json"" id=""lti-payload"">
+                {safeJsonPayload}
+            </script>
+
             <script>
-                var payload = {responsePayloadJson};
-                
-                function sendAndClose() {{
+                try {{
+                    var payloadElement = document.getElementById('lti-payload');
+                    var payload = JSON.parse(payloadElement.textContent);
+
                     if (window.opener) {{
                         window.opener.postMessage({{
-                            type: 'LTI_DEEP_LINK_SUCCESS', // Уникальный тип события, который слушает ваш React/Angular
+                            type: 'LTI_DEEP_LINK_SUCCESS',
                             payload: payload
-                        }}, '*'); // В продакшене вместо '*' лучше указать домен HwProj
+                        }}, '*'); // В продакшене заменить '*' на конкретный домен
                     }}
-                    
+                }} catch (e) {{
+                    console.error('Ошибка обработки данных LTI:', e);
+                }} finally {{
                     window.close();
                 }}
-                
-                sendAndClose();
             </script>
         </body>
         </html>";
diff --git a/HwProj.APIGateway/HwProj.APIGateway.API/Lti/DTOs/LtiToolDto.cs b/HwProj.APIGateway/HwProj.APIGateway.API/Lti/DTOs/LtiToolDto.cs
@@ -2,6 +2,7 @@ namespace HwProj.APIGateway.API.Lti.DTOs;
 
 public record LtiToolDto(
     string Name,
+    string issuer,
     string ClientId,
     string JwksEndpoint,
     string InitiateLoginUri,
diff --git a/HwProj.APIGateway/HwProj.APIGateway.API/Lti/Mappings/LtiToolMapper.cs b/HwProj.APIGateway/HwProj.APIGateway.API/Lti/Mappings/LtiToolMapper.cs
@@ -9,6 +9,7 @@ public static LtiToolDto LtiToolConfigToDto(this LtiToolConfig t)
     {
         return new LtiToolDto(
             t.Name,
+            t.Issuer,
             t.ClientId,
             t.JwksEndpoint,
             t.InitiateLoginUri,
diff --git a/HwProj.SolutionsService/HwProj.SolutionsService.API/Controllers/SolutionsController.cs b/HwProj.SolutionsService/HwProj.SolutionsService.API/Controllers/SolutionsController.cs
@@ -112,7 +112,6 @@ public async Task<IActionResult> PostAndRateSolutionForLti(long taskId,
 
             await _solutionsService.RateSolutionAsync(solutionId, lecturerId!, rateSolutionModel.Rating, rateSolutionModel.LecturerComment);
             return Ok();
-
         }
 
         [HttpPost("rateSolution/{solutionId}")]

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ public static LtiToolDto LtiToolConfigToDto(this LtiToolConfig t)`
`9`	`9`	`{`
`10`	`10`	`return new LtiToolDto(`
`11`	`11`	`t.Name,`
	`12`	`+ t.Issuer,`
`12`	`13`	`t.ClientId,`
`13`	`14`	`t.JwksEndpoint,`
`14`	`15`	`t.InitiateLoginUri,`
Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,6 @@ public async Task<IActionResult> PostAndRateSolutionForLti(long taskId,`
`112`	`112`
`113`	`113`	`await _solutionsService.RateSolutionAsync(solutionId, lecturerId!, rateSolutionModel.Rating, rateSolutionModel.LecturerComment);`
`114`	`114`	`return Ok();`
`115`		`-`
`116`	`115`	`}`
`117`	`116`
`118`	`117`	`[HttpPost("rateSolution/{solutionId}")]`