From 2e3cbd6363237917a1080e459f0ac91c5fec53ea Mon Sep 17 00:00:00 2001 From: sinisterchill <91934084+reyyanxahmed@users.noreply.github.com> Date: Mon, 23 Feb 2026 23:33:31 +0530 Subject: [PATCH] fix(core): prevent OAuth server crash on unexpected requests (#19668) --- packages/core/src/code_assist/oauth2.test.ts | 64 ++++++++++++++++++++ packages/core/src/code_assist/oauth2.ts | 1 + 2 files changed, 65 insertions(+) diff --git a/packages/core/src/code_assist/oauth2.test.ts b/packages/core/src/code_assist/oauth2.test.ts index ae45c3a6b3..5726f76451 100644 --- a/packages/core/src/code_assist/oauth2.test.ts +++ b/packages/core/src/code_assist/oauth2.test.ts @@ -936,6 +936,70 @@ describe('oauth2', () => { ); }); + it('should handle unexpected requests (like /favicon.ico) without crashing', async () => { + const mockAuthUrl = 'https://example.com/auth'; + const mockOAuth2Client = { + generateAuthUrl: vi.fn().mockReturnValue(mockAuthUrl), + on: vi.fn(), + } as unknown as OAuth2Client; + vi.mocked(OAuth2Client).mockImplementation(() => mockOAuth2Client); + + vi.mocked(open).mockImplementation( + async () => ({ on: vi.fn() }) as never, + ); + + let requestCallback!: http.RequestListener; + let serverListeningCallback: (value: unknown) => void; + const serverListeningPromise = new Promise( + (resolve) => (serverListeningCallback = resolve), + ); + + const mockHttpServer = { + listen: vi.fn( + (_port: number, _host: string, callback?: () => void) => { + if (callback) callback(); + serverListeningCallback(undefined); + }, + ), + close: vi.fn(), + on: vi.fn(), + address: () => ({ port: 3000 }), + }; + (http.createServer as Mock).mockImplementation((cb) => { + requestCallback = cb; + return mockHttpServer as unknown as http.Server; + }); + + const clientPromise = getOauthClient( + AuthType.LOGIN_WITH_GOOGLE, + mockConfig, + ); + await serverListeningPromise; + + // Simulate an unexpected request, like a browser requesting a favicon + const mockReq = { + url: '/favicon.ico', + } as http.IncomingMessage; + const mockRes = { + writeHead: vi.fn(), + end: vi.fn(), + } as unknown as http.ServerResponse; + + await expect(async () => { + requestCallback(mockReq, mockRes); + await clientPromise; + }).rejects.toThrow( + 'OAuth callback not received. Unexpected request: /favicon.ico', + ); + + // Assert that we correctly redirected to the failure page + expect(mockRes.writeHead).toHaveBeenCalledWith(301, { + Location: + 'https://developers.google.com/gemini-code-assist/auth_failure_gemini', + }); + expect(mockRes.end).toHaveBeenCalled(); + }); + it('should handle token exchange failure with descriptive error', async () => { const mockAuthUrl = 'https://example.com/auth'; const mockCode = 'test-code'; diff --git a/packages/core/src/code_assist/oauth2.ts b/packages/core/src/code_assist/oauth2.ts index 7ee3fbe02e..14e65f5906 100644 --- a/packages/core/src/code_assist/oauth2.ts +++ b/packages/core/src/code_assist/oauth2.ts @@ -490,6 +490,7 @@ async function authWithWeb(client: OAuth2Client): Promise { 'OAuth callback not received. Unexpected request: ' + req.url, ), ); + return; } // acquire the code from the querystring, and close the web server. const qs = new url.URL(req.url!, 'http://127.0.0.1:3000').searchParams;