Encode user provided state (#401)

Author: augustuswm

Cargo.lock

@@ -34,6 +34,7 @@ newtype-uuid = { version = "1.3.2", features = ["schemars08", "serde", "v4"] }
 oauth2 = { version = "5.0.0", default-features = false, features = ["rustls-tls"] }
 oauth2-reqwest = "0.1.0-alpha.3"
 partial-struct = { git = "https://github.com/oxidecomputer/partial-struct" }
+percent-encoding = "2.3.2"
 proc-macro2 = "1"
 quote = "1"
 rand = "0.8.5"

Cargo.toml

@@ -26,6 +26,7 @@ oauth2 = { workspace = true }
 oauth2-reqwest = { workspace = true }
 newtype-uuid = { workspace = true }
 partial-struct = { workspace = true }
+percent-encoding = { workspace = true }
 rand = { workspace = true, features = ["std"] }
 rand_core = { workspace = true, features = ["std"] }
 reqwest = { workspace = true }

v-api/Cargo.toml

@@ -19,6 +19,7 @@ use newtype_uuid::TypedUuid;
 use oauth2::{
     AuthorizationCode, CsrfToken, PkceCodeChallenge, PkceCodeVerifier, Scope, TokenResponse,
 };
+use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use schemars::JsonSchema;
 use secrecy::SecretString;
 use serde::{Deserialize, Serialize};
@@ -205,8 +206,10 @@ where
     // Assign any scope errors that arose
     attempt.error = scope_error;
 
-    // Add in the user defined state and redirect uri
-    attempt.state = Some(query.state);
+    // Add in the user defined state and redirect uri. State is an arbitrary value and may be
+    // malicious. It must be url-encoded before being presented back to the client. Therefore we
+    // process once before storing so all downstream consumers see the encoded value.
+    attempt.state = Some(percent_encode(query.state.as_bytes(), NON_ALPHANUMERIC).to_string());
 
     // If the remote provider supports pkce, set up a challenge
     let pkce_challenge = if provider.supports_pkce() {