Skip to content

[OAuth2] Login hint support #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
24c02 merged 1 commit into from
Dec 8, 2025
Merged

[OAuth2] Login hint support #86

24c02 merged 1 commit into from
Dec 8, 2025

Conversation

@24c02
Copy link
Member

@24c02 24c02 commented Dec 8, 2025

h/t @dhamariT

@24c02 24c02 merged commit 20c064c into main Dec 8, 2025
3 checks passed
@24c02 24c02 mentioned this pull request Dec 8, 2025
Closed
sentry[bot]
sentry bot reviewed Dec 8, 2025
View reviewed changes
app/controllers/static_pages_controller.rb
# Extract client_id and login_hint from the return_to URL
@return_to = params[:return_to]
if @return_to.present?
uri = URI.parse(@return_to)
Copy link

@sentry sentry bot Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: URI.parse(@return_to) lacks error handling for malformed URLs, leading to an unrescued URI::InvalidURIError and application crash.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

If a malformed URL is passed as the return_to parameter, the URI.parse(@return_to) call on line 17 will raise an unrescued URI::InvalidURIError, causing the application to crash. This creates a denial-of-service vulnerability, disrupting the authentication flow.

💡 Suggested Fix

Wrap URI.parse(@return_to) in a begin...rescue URI::InvalidURIError block to handle malformed URLs gracefully, preventing application crashes.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: app/controllers/static_pages_controller.rb#L17

Potential issue: If a malformed URL is passed as the `return_to` parameter, the
`URI.parse(@return_to)` call on line 17 will raise an unrescued `URI::InvalidURIError`,
causing the application to crash. This creates a denial-of-service vulnerability,
disrupting the authentication flow.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 6251664

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@24c02