feat(idp, open_browser): validate login URL for SAML plugin

Brooke-white · Brooke-white · commit cc87c979c0b2 · 2022-05-04T17:50:22.000-07:00
diff --git a/redshift_connector/plugin/browser_azure_credentials_provider.py b/redshift_connector/plugin/browser_azure_credentials_provider.py
@@ -232,5 +232,5 @@ def open_browser(self: "BrowserAzureCredentialsProvider", state: str) -> None:
             "&redirect_uri={uri}"
             "&state={state}".format(tenant=self.idp_tenant, id=self.client_id, uri=self.redirectUri, state=state)
         )
-
+        self.validate_url(url)
         webbrowser.open(url)
diff --git a/redshift_connector/plugin/browser_azure_oauth2_credentials_provider.py b/redshift_connector/plugin/browser_azure_oauth2_credentials_provider.py
@@ -165,6 +165,7 @@ def open_browser(self: "BrowserAzureOAuth2CredentialsProvider", state: str) -> N
 
         if url is None:
             raise InterfaceError("the login_url could not be empty")
+        self.validate_url(url)
         webbrowser.open(url)
 
     def get_listen_socket(self: "BrowserAzureOAuth2CredentialsProvider") -> socket.socket:
diff --git a/redshift_connector/plugin/browser_saml_credentials_provider.py b/redshift_connector/plugin/browser_saml_credentials_provider.py
@@ -109,4 +109,5 @@ def open_browser(self: "BrowserSamlCredentialsProvider") -> None:
 
         if url is None:
             raise InterfaceError("the login_url could not be empty")
+        self.validate_url(url)
         webbrowser.open(url)
diff --git a/redshift_connector/plugin/idp_credentials_provider.py b/redshift_connector/plugin/idp_credentials_provider.py
@@ -1,6 +1,7 @@
 import typing
 from abc import ABC, abstractmethod
 
+from redshift_connector.error import InterfaceError
 from redshift_connector.redshift_property import RedshiftProperty
 
 if typing.TYPE_CHECKING:
@@ -39,3 +40,8 @@ def add_parameter(self: "IdpCredentialsProvider", info: RedshiftProperty) -> Non
         Defines instance attributes from the :class:RedshiftProperty object associated with the current authentication session.
         """
         pass  # pragma: no cover
+
+    @classmethod
+    def validate_url(cls, uri: str) -> None:
+        if not uri.startswith("https"):
+            raise InterfaceError("URI: {} is an invalid web address".format(uri))
diff --git a/test/unit/plugin/test_browser_saml_credentials_provider.py b/test/unit/plugin/test_browser_saml_credentials_provider.py
@@ -99,3 +99,13 @@ def test_open_browser_no_url_should_fail():
     with pytest.raises(InterfaceError) as ex:
         browser_saml_credentials.open_browser()
     assert "the login_url could not be empty" in str(ex.value)
+
+
+@pytest.mark.parametrize("url", ["test", "1234", "file.txt", "file:///"])
+def test_open_browser_invalid_url_should_fail(url):
+    browser_saml_credentials: BrowserSamlCredentialsProvider = BrowserSamlCredentialsProvider()
+    browser_saml_credentials.login_url = url
+
+    with pytest.raises(InterfaceError) as ex:
+        browser_saml_credentials.open_browser()
+    assert "is an invalid web address" in str(ex.value)

Original file line number	Diff line number	Diff line change
`@@ -232,5 +232,5 @@ def open_browser(self: "BrowserAzureCredentialsProvider", state: str) -> None:`
`232`	`232`	`"&redirect_uri={uri}"`
`233`	`233`	`"&state={state}".format(tenant=self.idp_tenant, id=self.client_id, uri=self.redirectUri, state=state)`
`234`	`234`	`)`
`235`		`-`
	`235`	`+ self.validate_url(url)`
`236`	`236`	`webbrowser.open(url)`