Bug#37697750 - User provided URL redirection should block fragment

Description
===========
"URL Handling Best Practices" point that when executing
redirection provided by user should be blocked, overriden
or prepared fragment should be attached.

Fix
===
When redirecting, remove "fragment" part from the URL.

(POST-PUSH FIX WL#15440)

Change-Id: I46d96eb09eda62b127c567e07644705e7e30fdb6

Author: lkotula

mysql-test/suite/router/include/mrs/mrs_client.inc

@@ -118,6 +118,7 @@ if ($mrs_client_arg_expect_header)
     --die "mrs_client_arg_expect_header" requires mrs_client_arg_expect_header_value parameter.
   }
   --let $mrs_escape_query=$mrs_client_arg_expect_header_value
+  --let $mrs_include_character_and=1
   --source escape_url_query.inc
   --let $mrs_client_cmd=$mrs_client_cmd --encoded-expected-header=$mrs_client_arg_expect_header=$mrs_escape_query
 }

mysql-test/suite/router/r/authentication_redirect.result

@@ -27,6 +27,10 @@ grant all on *.* to mrsuser@'%';
 # 7. path part contains control characters
 # 8. relative path, directory traversing
 #
+## III. Execute user redirection, but change the target URL
+#
+# 1. all fragments must be reseted
+#
 # Registred SERVICE at path: /svc_no_valid
 # Registred SERVICE at path: /svc_open_valid
 # Registred AUTH APP at path: NULL
@@ -221,6 +225,12 @@ OK
 # II.8
 GET /svc_open_valid/authentication/login?onCompletionRedirect=../../admin
 
+OK
+
+#
+# III.1
+GET /svc_no_valid/authentication/login?onCompletionRedirect=/path1/#fragment
+
 OK
 drop user mrsuser@'%';
 DROP SCHEMA basic_schema;

mysql-test/suite/router/t/authentication_redirect.test

@@ -34,6 +34,10 @@ grant all on *.* to mrsuser@'%';
 --echo # 7. path part contains control characters
 --echo # 8. relative path, directory traversing
 --echo #
+--echo ## III. Execute user redirection, but change the target URL
+--echo #
+--echo # 1. all fragments must be reseted
+--echo #
 
 
 --source ../include/mrs/start_object_definition.inc
@@ -62,6 +66,17 @@ grant all on *.* to mrsuser@'%';
 --let $test_service=svc_open_valid
 --source ../include/test/authentication_redirect.inc
 
+--echo
+--echo #
+--echo # III.1
+--let $mrs_client_arg_path='/svc_no_valid/authentication/login?onCompletionRedirect=/path1/#fragment'
+--let $mrs_client_arg_authentication=basic
+--let $mrs_client_arg_user=mrsuser
+--let $mrs_client_arg_password=S3kre7
+--let $mrs_client_arg_expect_header=Location
+--let $mrs_client_arg_expect_header_value="/path1/?authApp=Internal&login=success"
+--source ../include/mrs/mrs_client.inc
+
 # Cleanup
 drop user mrsuser@'%';
 --source ../include/mrs/cleanup.inc

router/src/mysql_rest_service/src/mrs/endpoint/handler/authentication/handler_authorize_login.cc

@@ -200,6 +200,11 @@ std::string HandlerAuthorizeLogin::append_status_parameters(
   Url::append_query_parameter(uri, "login",
                               get_authentication_status(error.status));
 
+  // Best practices of handling URL redirection point that
+  // fragment should be blocked in some way.
+  // We are not forwarding it.
+  uri.set_fragment({});
+
   return uri.join();
 }
 

router/tests/mrs_client/client/authentication.cc

@@ -306,7 +306,7 @@ Result Authentication::do_basic_flow(
           "Response doesn't contains Set-Cookie with proper value.");
   }
 
-  return {HttpStatusCode::Ok, {}, {}};
+  return {HttpStatusCode::Ok, request->get_input_headers(), {}};
 }
 
 Result Authentication::do_basic_json_flow(
@@ -363,7 +363,7 @@ Result Authentication::do_basic_json_flow(
   // The session_id - cookie name is service dependent, thus we would also need
   // to transfer service_id.
 
-  return {HttpStatusCode::Ok, {}, {}};
+  return {HttpStatusCode::Ok, request->get_input_headers(), {}};
 }
 
 class Scram {
@@ -556,7 +556,7 @@ Result Authentication::do_scram_post_flow(
     request->get_session()->add_header(&header[0]);
   }
 
-  return {HttpStatusCode::Ok, {}, {}};
+  return {HttpStatusCode::Ok, request->get_input_headers(), {}};
 }
 
 Result Authentication::do_scram_get_flow(
@@ -619,7 +619,7 @@ Result Authentication::do_scram_get_flow(
     request->get_session()->add_header(&header[0]);
   }
 
-  return {HttpStatusCode::Ok, {}, {}};
+  return {HttpStatusCode::Ok, request->get_input_headers(), {}};
 }
 
 }  // namespace mrs_client

router/tests/mrs_client/client/http_client_request.cc

@@ -32,16 +32,6 @@
 
 namespace mrs_client {
 
-static Headers get_headers(const ::http::base::Request *request) {
-  Headers result;
-  auto &headers = request->get_input_headers();
-  for (const auto &h : headers) {
-    result.push_back(h);
-  }
-
-  return result;
-}
-
 HttpClientRequest::HttpClientRequest(net::io_context *context,
                                      HttpClientSession *session,
                                      const http::base::Uri &uri)
@@ -56,6 +46,20 @@ void HttpClientRequest::add_header(const char *name, const char *value) {
   one_shot_headers_.emplace_back(name, value);
 }
 
+static Headers get_headers(const ::http::base::Request *request) {
+  Headers result;
+  auto &headers = request->get_input_headers();
+  for (const auto &h : headers) {
+    result.push_back(h);
+  }
+
+  return result;
+}
+
+const Headers &HttpClientRequest::get_input_headers() const {
+  return input_headers_;
+}
+
 Result HttpClientRequest::do_request(http::base::method::key_type method,
                                      const std::string &path,
                                      const std::string &body,
@@ -96,8 +100,8 @@ Result HttpClientRequest::do_request(http::base::method::key_type method,
   auto &ib = request.get_input_buffer();
   auto array = ib.pop_front(ib.length());
 
-  return Result{code, get_headers(&request),
-                std::string(array.begin(), array.end())};
+  input_headers_ = get_headers(&request);
+  return Result{code, input_headers_, std::string(array.begin(), array.end())};
 }
 
 }  // namespace mrs_client

router/tests/mrs_client/client/http_client_request.h

@@ -78,6 +78,7 @@ class HttpClientRequest {
                     const http::base::Uri &uri);
 
   void add_header(const char *name, const char *value);
+  const Headers &get_input_headers() const;
   Result do_request(http::base::method::key_type type, const std::string &path,
                     const std::string &body, bool set_new_cookies = true);
 
@@ -91,6 +92,7 @@ class HttpClientRequest {
   std::unique_ptr<http::client::Client> client_;
   std::string response_;
   Headers one_shot_headers_;
+  Headers input_headers_;
 };
 
 }  // namespace mrs_client