Conversation
There was a problem hiding this comment.
Pull request overview
Addresses a URL parameter injection risk in the MarkLogic Cloud authentication flow by ensuring accessTokenDuration is safely handled before being sent to the /token endpoint, and by validating the parameter earlier during client initialization.
Changes:
- Encode
accessTokenDurationwithencodeURIComponent()when building the token request path ingetAccessToken(). - Validate
accessTokenDurationas a positive integer in theCLOUDauth branch ofinitClient(). - Add/extend cloud-authentication tests to cover the new behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
lib/requester.js |
Encodes accessTokenDuration before interpolating it into the /token?duration= URL. |
lib/marklogic.js |
Adds positive-integer validation for accessTokenDuration during cloud client initialization. |
test-basic/cloud_authentication-test.js |
Adds tests intended to cover the encoded token path and validation error behavior. |
Comment on lines
48
to
+49
| const postData = `${encodeURI('grant_type')}=${encodeURI('apikey')}&${encodeURI('key')}=${encodeURI(operation.client.connectionParams.apiKey)}`; | ||
| const path = operation.client.connectionParams.accessTokenDuration?'/token?duration='+operation.client.connectionParams.accessTokenDuration:'/token'; | ||
| const path = operation.client.connectionParams.accessTokenDuration?'/token?duration='+encodeURIComponent(operation.client.connectionParams.accessTokenDuration):'/token'; |
rjdew-progress
previously approved these changes
Jul 6, 2026
rjdew-progress
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a medium-severity URL parameter injection vulnerability (CWE-20, CWE-93, CVSS 4.2) in the MarkLogic Cloud authentication flow. The
accessTokenDurationconnection parameter was string-concatenated directly into the token request URL path without encoding, and was not validated at client creation time.Changes
requester.js
accessTokenDurationinencodeURIComponent()when building the/token?duration=path ingetAccessToken(). All other query-string values in this function were already encoded — this omission was inconsistent. The fix provides defense-in-depth against callers who bypassinitClient()via directconnectionParamsmutation or by callinggetAccessToken()directly throughrequire('./requester').marklogic.js
accessTokenDurationin theCLOUDauth block ofinitClient(). A non-integer value now throws immediately at client creation with a clear error message rather than silently reaching the network layer. This is consistent with the parameter's documented meaning ("duration in seconds") and eliminates non-numeric characters from ever reaching the URL through the normal API entry point.cloud_authentication-test.js
cloud-authentication testssuite — one verifying the happy path (valid integer produces/token?duration=300), one verifying the validation error is thrown at client creation for a non-integer value. No live MarkLogic server is required to run these tests.Notes
accessTokenDuration: 300) see no behavior change.'300') were previously accepted silently and will now throw.