Skip to content

MLE-30256 Encode accessTokenDuration Before URL Interpolation in getAccessToken#1091

Merged
jonmille merged 2 commits into
developfrom
MLE-30256
Jul 7, 2026
Merged

MLE-30256 Encode accessTokenDuration Before URL Interpolation in getAccessToken#1091
jonmille merged 2 commits into
developfrom
MLE-30256

Conversation

@jonmille

@jonmille jonmille commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Fixes a medium-severity URL parameter injection vulnerability (CWE-20, CWE-93, CVSS 4.2) in the MarkLogic Cloud authentication flow. The accessTokenDuration connection parameter was string-concatenated directly into the token request URL path without encoding, and was not validated at client creation time.

Changes

requester.js

  • Wrapped accessTokenDuration in encodeURIComponent() when building the /token?duration= path in getAccessToken(). All other query-string values in this function were already encoded — this omission was inconsistent. The fix provides defense-in-depth against callers who bypass initClient() via direct connectionParams mutation or by calling getAccessToken() directly through require('./requester').

marklogic.js

  • Added positive-integer validation for accessTokenDuration in the CLOUD auth block of initClient(). A non-integer value now throws immediately at client creation with a clear error message rather than silently reaching the network layer. This is consistent with the parameter's documented meaning ("duration in seconds") and eliminates non-numeric characters from ever reaching the URL through the normal API entry point.

cloud_authentication-test.js

  • Added two tests to the existing cloud-authentication tests suite — one verifying the happy path (valid integer produces /token?duration=300), one verifying the validation error is thrown at client creation for a non-integer value. No live MarkLogic server is required to run these tests.

Notes

  • Callers already passing a positive integer (e.g., accessTokenDuration: 300) see no behavior change.
  • String integers (e.g., '300') were previously accepted silently and will now throw.
  • Jira: MLE-30256

Copilot AI review requested due to automatic review settings July 6, 2026 19:52
@jonmille jonmille requested a review from rjdew-progress July 6, 2026 19:52

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Addresses a URL parameter injection risk in the MarkLogic Cloud authentication flow by ensuring accessTokenDuration is safely handled before being sent to the /token endpoint, and by validating the parameter earlier during client initialization.

Changes:

  • Encode accessTokenDuration with encodeURIComponent() when building the token request path in getAccessToken().
  • Validate accessTokenDuration as a positive integer in the CLOUD auth branch of initClient().
  • Add/extend cloud-authentication tests to cover the new behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
lib/requester.js Encodes accessTokenDuration before interpolating it into the /token?duration= URL.
lib/marklogic.js Adds positive-integer validation for accessTokenDuration during cloud client initialization.
test-basic/cloud_authentication-test.js Adds tests intended to cover the encoded token path and validation error behavior.

Comment thread lib/requester.js
Comment on lines 48 to +49
const postData = `${encodeURI('grant_type')}=${encodeURI('apikey')}&${encodeURI('key')}=${encodeURI(operation.client.connectionParams.apiKey)}`;
const path = operation.client.connectionParams.accessTokenDuration?'/token?duration='+operation.client.connectionParams.accessTokenDuration:'/token';
const path = operation.client.connectionParams.accessTokenDuration?'/token?duration='+encodeURIComponent(operation.client.connectionParams.accessTokenDuration):'/token';
Comment thread test-basic/cloud_authentication-test.js Outdated
rjdew-progress
rjdew-progress previously approved these changes Jul 6, 2026
@jonmille jonmille merged commit a4735a0 into develop Jul 7, 2026
4 checks passed
@jonmille jonmille deleted the MLE-30256 branch July 7, 2026 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants