Fix client_registration URI regex not accepting full query string grammar (#4563)

sandhose · web-flow · commit d8fa8f7018bc · 2025-05-30T17:40:32.000+02:00
diff --git a/policies/client_registration/client_registration.rego b/policies/client_registration/client_registration.rego
@@ -13,9 +13,9 @@ allow if {
 
 parse_uri(url) := obj if {
 	is_string(url)
-	url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)?(?P<query>\?[A-Za-z0-9/.-=]*)?$`
+	url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)?(?P<query>\?[-a-zA-Z0-9()@:%_+.~#?&/=]*)?$`
 	[matches] := regex.find_all_string_submatch_n(url_regex, url, 1)
-	obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]}
+	obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5], "query": matches[6]}
 }
 
 secure_url(_) if {
diff --git a/policies/client_registration/client_registration_test.rego b/policies/client_registration/client_registration_test.rego
@@ -215,6 +215,13 @@ test_web_redirect_uri if {
 		"redirect_uris": ["https://example.com/second/callback", "https://example.com/callback", "https://example.com/callback?query=value"],
 	}
 
+	client_registration.allow with input.client_metadata as {
+		"application_type": "web",
+		"client_uri": "http://localhost:8080",
+		"redirect_uris": ["http://localhost:8080/?no_universal_links=true"],
+	}
+		with client_registration.allow_insecure_uris as true
+
 	# HTTPS redirect_uri with non-standard port
 	client_registration.allow with input.client_metadata as {
 		"application_type": "web",
@@ -403,3 +410,13 @@ test_reverse_dns_match if {
 	not client_registration.reverse_dns_match("example.com", "org.example")
 	not client_registration.reverse_dns_match("test.com", "com.example")
 }
+
+test_parse_uri if {
+	client_uri_query := client_registration.parse_uri("https://example.com:8080/users?query=test")
+	client_uri_query.authority == "example.com:8080"
+	client_uri_query.host == "example.com"
+	client_uri_query.path == "/users"
+	client_uri_query.scheme == "https"
+	client_uri_query.port == "8080"
+	client_uri_query.query == "?query=test"
+}
