Skip to content

fix(security): XSS in OAuth callback — escape error parameters#1573

Open
Joshua-Medvinsky wants to merge 1 commit into
SolaceLabs:mainfrom
Joshua-Medvinsky:fix/find-003-xss-oauth-callback
Open

fix(security): XSS in OAuth callback — escape error parameters#1573
Joshua-Medvinsky wants to merge 1 commit into
SolaceLabs:mainfrom
Joshua-Medvinsky:fix/find-003-xss-oauth-callback

Conversation

@Joshua-Medvinsky

Copy link
Copy Markdown

Summary

The OAuth2 tool callback handler at /api/v1/auth/callback interpolates query parameters error and error_description directly into HTML without escaping, enabling reflected XSS. Use html.escape() to sanitize.

Vulnerability

Severity: High
CWE: CWE-79 (Cross-site Scripting — Reflected)
Location: src/solace_agent_mesh/gateway/http_sse/routers/auth.py:204

An attacker crafts: /api/v1/auth/callback?error=<script>alert(document.cookie)</script>. The f-string interpolation produces

Error: <script>alert(document.cookie)</script>

with no escaping. HTMLResponse returns text/html, so the browser executes the script in the gateway origin.

Impact: session hijacking, CSRF token theft, arbitrary API calls as the victim.

Fix

Add import html and replace {error} with {html.escape(error)} and {error_description} with {html.escape(error_description or "No description provided")}.

Test Plan

  • /api/v1/auth/callback?error=<script>alert(1)</script> returns escaped HTML
  • Normal error messages render correctly
  • No CSP needed as defense-in-depth (optional follow-up)

Copilot AI review requested due to automatic review settings June 1, 2026 16:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR hardens the OAuth authorization error callback HTML response by escaping user-controlled error strings to prevent HTML injection.

Changes:

  • Import html for HTML escaping utilities.
  • Escape error and error_description before interpolating into the error page HTML.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

The OAuth2 tool callback handler interpolated query parameters
'error' and 'error_description' directly into HTML without
escaping, enabling reflected XSS. Use html.escape() to sanitize.

CWE-79: Cross-site Scripting (Reflected)

Signed-off-by: Joshua Medvinsky <joshuam@ethlas.com>
Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
@Joshua-Medvinsky
Joshua-Medvinsky force-pushed the fix/find-003-xss-oauth-callback branch from a305021 to 948d563 Compare June 10, 2026 03:23
@failsafesecurity

Copy link
Copy Markdown

Hi maintainers 👋 — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback yet. Happy to address any concerns or adjust the approach. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants