Add input length limits for redirect_uri and state parameters #39
Description
Summary
The OAuth2 authorization endpoint does not enforce maximum length limits on the redirect_uri and state parameters, which could be exploited for denial-of-service attacks.
Problem
Per RFC 6749 Section 10.14, the authorization server must sanitize and validate any value received, particularly state and redirect_uri. While exact matching and proper encoding are implemented, there are no length constraints on these parameters.
An attacker could submit extremely long values (e.g., multi-megabyte strings) causing:
- Excessive memory allocation during request processing
- Large session cookie sizes (state is stored in session)
- Database storage bloat (redirect_uri stored with authorization codes)
Note: client_id is already effectively limited to 38 characters via the IdentifierValidator - invalid client IDs simply fail the database lookup.
Affected Parameters
| Parameter | Current Limit | Recommended Limit |
|---|---|---|
redirect_uri |
None | 8192 characters |
state |
None | 2048 characters |
Affected Files
src/core/validators/authorize_validator.go
Proposed Solution
Add length validation early in the authorization request validation:
const (
maxRedirectURILength = 8192
maxStateLength = 2048
)
if len(input.RedirectURI) > maxRedirectURILength {
return customerrors.NewErrorDetailWithHttpStatusCode("invalid_request",
"The redirect_uri parameter exceeds maximum allowed length.", http.StatusBadRequest)
}
if len(input.State) > maxStateLength {
return customerrors.NewErrorDetailWithHttpStatusCode("invalid_request",
"The state parameter exceeds maximum allowed length.", http.StatusBadRequest)
}References
- RFC 6749 Section 10.14 (Code Injection and Input Validation)