fix: html-escape debug data sent to development-only interactions

closes #1414

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

SECURITY.md

@@ -97,3 +97,4 @@ The following are explicitly **not** considered vulnerabilities in this library:
 - **Denial of service via resource exhaustion** ([CWE-400](https://cwe.mitre.org/data/definitions/400.html)): While the library validates inputs, it does not implement resource limits. Applications should implement their own rate limiting and resource management.
 - **Misconfiguration**: Security issues arising from insecure configuration choices (e.g., weak policies, insecure client settings) are the user's responsibility.
 - **Insecure adapter implementations**: Security issues in user-provided storage adapters are the user's responsibility.
+- **Development-only features**: Bugs or issues in features explicitly documented as development-only (e.g., `features.devInteractions`, the built-in development-only signing keys used when no `jwks` is configured, the in-memory adapter) are not considered vulnerabilities. These features are intended solely for development and demonstration purposes and must not be used in production deployments.

example/routes/express.js

@@ -7,6 +7,7 @@ import isEmpty from 'lodash/isEmpty.js';
 import { urlencoded } from 'express';
 
 import Account from '../support/account.js';
+import htmlSafe from '../support/html_safe.js';
 import { errors } from '../../lib/index.js'; // from 'oidc-provider';
 
 const body = urlencoded({ extended: false });
@@ -18,7 +19,7 @@ const debug = (obj) => querystring.stringify(Object.entries(obj).reduce((acc, [k
   acc[key] = inspect(value, { depth: null });
   return acc;
 }, {}), '<br/>', ': ', {
-  encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : value; },
+  encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : htmlSafe(value); },
 });
 const { SessionNotFound } = errors;
 export default (app, provider) => {

example/routes/koa.js

@@ -11,6 +11,7 @@ import Router from '@koa/router';
 
 import { defaults } from '../../lib/helpers/defaults.js'; // make your own, you'll need it anyway
 import Account from '../support/account.js';
+import htmlSafe from '../support/html_safe.js';
 import { errors } from '../../lib/index.js'; // from 'oidc-provider';
 
 const hkdf = promisify(crypto.hkdf);
@@ -21,7 +22,7 @@ const debug = (obj) => querystring.stringify(Object.entries(obj).reduce((acc, [k
   acc[key] = inspect(value, { depth: null });
   return acc;
 }, {}), '<br/>', ': ', {
-  encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : value; },
+  encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : htmlSafe(value); },
 });
 
 const { SessionNotFound } = errors;

example/support/html_safe.js

@@ -0,0 +1,19 @@
+export default function htmlSafe(input) {
+  if (typeof input === 'number' && Number.isFinite(input)) {
+    return `${input}`;
+  }
+
+  if (typeof input === 'string') {
+    return input.replace(/&/g, '&')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;');
+  }
+
+  if (typeof input === 'boolean') {
+    return input.toString();
+  }
+
+  return '';
+}

lib/actions/interaction.js

@@ -3,6 +3,7 @@ import * as querystring from 'node:querystring';
 import { inspect } from 'node:util';
 
 import * as attention from '../helpers/attention.js';
+import htmlSafe from '../helpers/html_safe.js';
 import { urlencoded as parseBody } from '../shared/selective_body.js';
 import * as views from '../views/index.js';
 import instance from '../helpers/weak_cache.js';
@@ -16,7 +17,7 @@ const dbg = (obj) => querystring.stringify(Object.entries(obj).reduce((acc, [key
   acc[key] = inspect(value, { depth: null });
   return acc;
 }, {}), '<br/>', ': ', {
-  encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : value; },
+  encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : htmlSafe(value); },
 });
 
 export default function devInteractions(provider) {

test/interaction/interaction.test.js

@@ -78,6 +78,32 @@ describe('devInteractions', () => {
     handlesInteractionSessionErrors();
   });
 
+  context('escapes debug output HTML', () => {
+    beforeEach(function () { return this.logout(); });
+    beforeEach(function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code',
+        scope: 'openid',
+        state: '<img src=x onerror=alert(1)>',
+      });
+
+      return this.agent.get('/auth')
+        .query(auth)
+        .then((response) => {
+          this.url = response.headers.location;
+        });
+    });
+
+    it('HTML-escapes parameter values in the debug section', function () {
+      return this.agent.get(this.url)
+        .expect(200)
+        .expect((response) => {
+          expect(response.text).not.to.match(/<img src=x onerror=alert\(1\)>/);
+          expect(response.text).to.contain('&lt;img src=x onerror=alert(1)&gt;');
+        });
+    });
+  });
+
   context('render interaction', () => {
     beforeEach(function () { return this.logout(); });
     beforeEach(function () { return this.login(); });