Skip to content

fix(parsing): reject malformed auth params#14

Closed
EfeDurmaz16 wants to merge 1 commit into
stripe:mainfrom
EfeDurmaz16:fix/reject-malformed-auth-params
Closed

fix(parsing): reject malformed auth params#14
EfeDurmaz16 wants to merge 1 commit into
stripe:mainfrom
EfeDurmaz16:fix/reject-malformed-auth-params

Conversation

@EfeDurmaz16

Copy link
Copy Markdown
Contributor

Summary

Reject malformed WWW-Authenticate: Payment auth-param lists instead of silently accepting partial regex matches.

This catches cases where required params are present but the header is still malformed, for example:

  • missing comma separators between auth params
  • trailing non-param junk after an otherwise valid challenge

Why

The parser previously used scan, so malformed text between or after matched params could be ignored. For payment challenges, accepting a partially parsed header can hide producer bugs and make interop failures harder to diagnose.

Verification

  • mise exec ruby@3.3 -- bundle exec ruby -Itest test/mpp/test_parsing.rb
  • mise exec ruby@3.3 -- bundle exec rake test
  • mise exec ruby@3.3 -- bundle exec standardrb lib/mpp/parsing.rb test/mpp/test_parsing.rb
  • git diff --check

@emmajam

emmajam commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

hey think this has conflicts now that needs updating 🙇

@emmajam

emmajam commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

i think its likely we need a conformance test added to mpp-tools also for this?

Signed-off-by: EfeDurmaz16 <efebarandurmaz05@gmail.com>
@raubrey-stripe

Copy link
Copy Markdown
Contributor

Hey @emmajam I do see some failed tests that appear to overlap with this change (formatting, etc.) - is this change still relevant given some of the other improvements?

Comment thread lib/mpp/parsing.rb

params_str.scan(AUTH_PARAM_RE) do |key, quoted_val, token_val|
match = T.must(Regexp.last_match)
separator = params_str[pos...match.begin(0)]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from_www_authenticate_list still splits on every /Payment\s+/, including inside quoted values. With the new strict tail validation, a header like Payment id="ch", realm="contact Payment support", ... is split at the quoted Payment, so the first chunk becomes malformed and parsing fails. The new mpp-tools vectors cover from_www_authenticate, but not this public list parser path.

Comment thread lib/mpp/parsing.rb
first = false
end

tail = params_str[pos..]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now rejects the existing mpp-tools conformance vector unescaped_quotes_in_description, prob needs coordination w/ tempoxyz/mpp-tools#30 ?

Comment thread lib/mpp/parsing.rb
end

tail = params_str[pos..]
Kernel.raise Mpp::ParseError, "Malformed authentication parameters" unless tail.strip.empty?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this breaks the current mpp-tools vector; either update conformance or keep this case permissive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants