requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

(Security Flaw) `requests-oauthlib` sends `json` payloads while refreshing tokens

Open slmtpz opened this issue 3 years ago • 1 comments

Walkthrough

When intercepting a request(), request-oauthlib doesn't take payload data passed with json parameter into account. This leads to kwargs having json parameter value. Notice that the same kwargs are passed to refresh_token() call. The data then is included in the body data to be sent to the identity provider's refresh token endpoint.

Security Problem

As of requests 2.4.2 POST data can be sent with json parameter. The data might include private information as it is intended for the POST body. The data then is further exposed to an identity provider when refreshing expired tokens if auto_refresh functionality is enabled while instantiating an OAuth2Session instance.

For the users

You can safely use data parameter to pass your POST data instead of json.

slmtpz avatar Aug 12 '21 12:08 slmtpz

Hi, Thanks for the report, however I have difficulties to understand a concrete example and possible dev mistakes which can lead to info leaking. Based on the code highlights, it seems json is not used when calling requests library, no matter the content of kwargs.

JonathanHuot avatar Nov 06 '21 23:11 JonathanHuot