fix: handle nil return from url.Parse in DPoP strip() and related sites

reinkrul · claude · reinkrul · commit 65c268693bc7 · 2026-03-25T11:16:34.000+01:00
url.Parse returns (nil, error) for inputs containing invalid percent-encoded
sequences (e.g. "%zz"). Three call-sites ignored the error and immediately
used the returned pointer, causing a nil pointer dereference panic.

crypto/dpop/dpop.go (strip):
- Validate htu claim as a parseable URL in Parse() so malformed tokens are
  rejected early with a clear error, before Match() is reached.
- Change strip() signature to (string, error) and propagate the error
  through Match() instead of dereferencing a nil *url.URL.

auth/api/iam/session.go (CreateRedirectURI / redirectURI):
- Added error checks; redirect URIs are validated before being stored so
  this is a defence-in-depth guard rather than a reachable crash path.

vcr/revocation/statuslist2021_issuer.go (statusListURL):
- Added nil guard with a clear panic message; the base URL is the node's own
  public URL validated at startup so the guard will never fire in practice.

echo/dpop_strip_dos_test.go:
- Regression test that starts a real Nuts node and submits a DPoP proof with
  an invalid htu URL, verifying the server returns a graceful rejection
  (HTTP 200, valid=false) instead of panicking and resetting the connection.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/auth/api/iam/session.go b/auth/api/iam/session.go
@@ -175,12 +175,20 @@ type RedirectSession struct {
 }
 
 func (s OAuthSession) CreateRedirectURI(params map[string]string) string {
-	redirectURI, _ := url.Parse(s.RedirectURI)
+	redirectURI, err := url.Parse(s.RedirectURI)
+	if err != nil {
+		// Redirect URIs are validated before being stored in the session, so this should never happen.
+		return s.RedirectURI
+	}
 	r := http.AddQueryParams(*redirectURI, params)
 	return r.String()
 }
 
 func (s OAuthSession) redirectURI() *url.URL {
-	redirectURL, _ := url.Parse(s.RedirectURI)
+	redirectURL, err := url.Parse(s.RedirectURI)
+	if err != nil {
+		// Redirect URIs are validated before being stored in the session, so this should never happen.
+		return nil
+	}
 	return redirectURL
 }
diff --git a/crypto/dpop/dpop.go b/crypto/dpop/dpop.go
@@ -158,6 +158,8 @@ func Parse(s string) (*DPoP, error) {
 	}
 	if v, ok := token.Get(HTUKey); !ok || v == "" {
 		return nil, fmt.Errorf("%w: missing htu claim", ErrInvalidDPoP)
+	} else if _, err := url.Parse(v.(string)); err != nil {
+		return nil, fmt.Errorf("%w: invalid htu claim: %w", ErrInvalidDPoP, err)
 	}
 	if v, ok := token.Get(HTMKey); !ok || v == "" {
 		return nil, fmt.Errorf("%w: missing htm claim", ErrInvalidDPoP)
@@ -220,22 +222,31 @@ func (t DPoP) Match(jkt string, method string, url string) (bool, error) {
 	if method != t.HTM() {
 		return false, fmt.Errorf("method mismatch, token: %s, given: %s", t.HTM(), method)
 	}
-	urlLeft := strip(t.HTU())
-	urlRight := strip(url)
+	urlLeft, err := strip(t.HTU())
+	if err != nil {
+		return false, fmt.Errorf("invalid htu claim: %w", err)
+	}
+	urlRight, err := strip(url)
+	if err != nil {
+		return false, fmt.Errorf("invalid url: %w", err)
+	}
 	if urlLeft != urlRight {
 		return false, fmt.Errorf("url mismatch, token: %s, given: %s", urlLeft, urlRight)
 	}
 
 	return true, nil
 }
 
-func strip(raw string) string {
-	url, _ := url.Parse(raw)
-	url.Scheme = "https"
-	url.Host = strings.Split(url.Host, ":")[0]
-	url.RawQuery = ""
-	url.Fragment = ""
-	return url.String()
+func strip(raw string) (string, error) {
+	u, err := url.Parse(raw)
+	if err != nil {
+		return "", err
+	}
+	u.Scheme = "https"
+	u.Host = strings.Split(u.Host, ":")[0]
+	u.RawQuery = ""
+	u.Fragment = ""
+	return u.String(), nil
 }
 
 func (t DPoP) MarshalJSON() ([]byte, error) {
diff --git a/echo/dpop_strip_dos_test.go b/echo/dpop_strip_dos_test.go
@@ -0,0 +1,111 @@
+/*
+ * Nuts node
+ * Copyright (C) 2024 Nuts community
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package echo
+
+// TestDPoP_StripNilDerefDoS is a regression test for a nil pointer dereference in
+// crypto/dpop.strip() when the DPoP token's htu claim contains an invalid
+// percent-encoded sequence (e.g. "%zz"). url.Parse returns (nil, err) for such
+// input; without the fix the function dereferenced the nil pointer, causing a panic.
+//
+// Attack path (before fix):
+//   Attacker crafts a DPoP JWT with htu="%zz", signs it with their own key,
+//   and POSTs it to POST /internal/auth/v2/dpop/validate.
+//   dpop.Parse() accepted the token (htu is non-empty → passes the only check).
+//   dpopToken.Match() called strip(token.HTU()) → url.Parse("%zz") → nil → PANIC.
+//
+// Expected outcome (after fix):
+//   dpop.Parse() rejects the token because the htu value is not a valid URL.
+//   ValidateDPoPProof returns 200 with Valid=false and a reason string.
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/nuts-foundation/nuts-node/crypto/dpop"
+	"github.com/nuts-foundation/nuts-node/test/node"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDPoP_StripNilDerefDoS(t *testing.T) {
+	internalBaseURL, _, _ := node.StartServer(t)
+
+	// Generate an EC key pair. The DPoP spec requires the public key in the JWT header,
+	// so we need a real key to produce a valid signature that passes dpop.Parse().
+	keyPair, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	// Build a syntactically valid DPoP token using a placeholder URL, then overwrite
+	// the htu claim with an invalid percent-encoded string. "%zz" is invalid because
+	// 'z' is not a hexadecimal digit, so url.Parse will return (nil, error).
+	req, err := http.NewRequest(http.MethodPost, "https://example.com/token", nil)
+	require.NoError(t, err)
+
+	token := dpop.New(*req)
+	// Overwrite htu with a malformed percent-encoded value.
+	// dpop.Parse() only checks !ok || v == "", so "%zz" passes that guard.
+	require.NoError(t, token.Token.Set(dpop.HTUKey, "%zz"))
+
+	dpopProof, err := token.Sign("kid", keyPair, jwa.ES256)
+	require.NoError(t, err)
+
+	// Compute the JWK thumbprint that the server will verify. Match() checks the
+	// thumbprint first; an incorrect value short-circuits before strip() is reached.
+	pubJWK, err := jwk.FromRaw(keyPair.Public())
+	require.NoError(t, err)
+	thumbprintBytes, err := pubJWK.Thumbprint(crypto.SHA256)
+	require.NoError(t, err)
+	thumbprint := base64.RawURLEncoding.EncodeToString(thumbprintBytes)
+
+	// POST to the internal validate endpoint. Any authenticated caller of the
+	// internal API (e.g. a resource server) can reach this endpoint.
+	body, err := json.Marshal(map[string]string{
+		"dpop_proof": dpopProof,
+		"method":     http.MethodPost,
+		"thumbprint": thumbprint,
+		"token":      "dummy-access-token",
+		"url":        "https://example.com/token",
+	})
+	require.NoError(t, err)
+
+	resp, err := http.Post(
+		internalBaseURL+"/internal/auth/v2/dpop/validate",
+		"application/json",
+		bytes.NewReader(body),
+	)
+	require.NoError(t, err, "server should not close the connection (no panic)")
+	defer resp.Body.Close()
+
+	// The fix rejects the token at dpop.Parse() time (invalid htu URL), so the
+	// server returns 200 with Valid=false rather than panicking.
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	var result map[string]interface{}
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&result))
+	assert.Equal(t, false, result["valid"], "valid should be false for an invalid DPoP token")
+	assert.NotEmpty(t, result["reason"], "a human-readable rejection reason should be present")
+}
diff --git a/vcr/revocation/statuslist2021_issuer.go b/vcr/revocation/statuslist2021_issuer.go
@@ -487,7 +487,11 @@ func (cs *StatusList2021) GetRevocation(credentialID ssi.URI) (*Revocation, erro
 
 func (cs *StatusList2021) statusListURL(issuer did.DID, page int) string {
 	// https://example.com/statuslist/<did>/page
-	result, _ := url.Parse(cs.baseURL)
+	result, err := url.Parse(cs.baseURL)
+	if err != nil {
+		// baseURL is the node's own public URL, validated at startup. This should never happen.
+		panic("invalid statuslist base URL: " + err.Error())
+	}
 	return result.JoinPath("statuslist", issuer.String(), strconv.Itoa(page)).String()
 }
 
