fix: nil pointer dereference DoS via invalid DPoP htu URL

crypto/dpop/dpop.go

@@ -30,7 +30,7 @@
 	"net/http"
 	"net/url"
 	"slices"
 	"strings"
 	"time"
 
 	"github.com/lestrrat-go/jwx/v2/jwa"
@@ -156,10 +156,20 @@
 	if token.IssuedAt().IsZero() {
 		return nil, fmt.Errorf("%w: missing iat claim", ErrInvalidDPoP)
 	}
-	if v, ok := token.Get(HTUKey); !ok || v == "" {
+	if v, ok := token.Get(HTUKey); !ok {
 		return nil, fmt.Errorf("%w: missing htu claim", ErrInvalidDPoP)
+	} else if s, ok := v.(string); !ok {
+		return nil, fmt.Errorf("%w: invalid htu claim", ErrInvalidDPoP)
+	} else if s == "" {
+		return nil, fmt.Errorf("%w: missing htu claim", ErrInvalidDPoP)
+	} else if _, err := url.Parse(s); err != nil {
+		return nil, fmt.Errorf("%w: invalid htu claim: %w", ErrInvalidDPoP, err)
 	}
-	if v, ok := token.Get(HTMKey); !ok || v == "" {
+	if v, ok := token.Get(HTMKey); !ok {
+		return nil, fmt.Errorf("%w: missing htm claim", ErrInvalidDPoP)
+	} else if s, ok := v.(string); !ok {
+		return nil, fmt.Errorf("%w: invalid htm claim", ErrInvalidDPoP)
+	} else if s == "" {
 		return nil, fmt.Errorf("%w: missing htm claim", ErrInvalidDPoP)
 	}
 	if token.JwtID() == "" {
@@ -220,22 +230,33 @@
 	if method != t.HTM() {
 		return false, fmt.Errorf("method mismatch, token: %s, given: %s", t.HTM(), method)
 	}
-	urlLeft := strip(t.HTU())
-	urlRight := strip(url)
+	urlLeft, err := strip(t.HTU())
+	if err != nil {
+		return false, fmt.Errorf("invalid htu claim: %w", err)
+	}
+	urlRight, err := strip(url)
+	if err != nil {
+		return false, fmt.Errorf("invalid url: %w", err)
+	}
 	if urlLeft != urlRight {
 		return false, fmt.Errorf("url mismatch, token: %s, given: %s", urlLeft, urlRight)
 	}
 
 	return true, nil
 }
 
-func strip(raw string) string {
-	url, _ := url.Parse(raw)
-	url.Scheme = "https"
-	url.Host = strings.Split(url.Host, ":")[0]
-	url.RawQuery = ""
-	url.Fragment = ""
-	return url.String()
+func strip(raw string) (string, error) {
+	u, err := url.Parse(raw)
+	if err != nil {
+		return "", err
+	}
+	u.Scheme = "https"
+	if host := u.Hostname(); host != "" {
+		u.Host = host
+	}
+	u.RawQuery = ""
+	u.Fragment = ""
+	return u.String(), nil
 }
 
 func (t DPoP) MarshalJSON() ([]byte, error) {

crypto/dpop/dpop_test.go

@@ -229,6 +229,40 @@ func TestParseDPoP(t *testing.T) {
 		require.Error(t, err)
 		assert.EqualError(t, err, "invalid DPoP token: jti claim too long")
 	})
+	t.Run("invalid htu claim URL", func(t *testing.T) {
+		// Regression test: url.Parse returns (nil, error) for invalid percent-encoded
+		// sequences. Without the fix, strip() dereferenced the nil pointer, panicking
+		// the server when Match() was called on a token with htu="%zz".
+		dpopToken := New(*request)
+		_ = dpopToken.Token.Set(HTUKey, "%zz")
+		dpopString, _ := dpopToken.Sign("kid", keyPair, alg)
+
+		_, err := Parse(dpopString)
+
+		require.Error(t, err)
+		assert.ErrorIs(t, err, ErrInvalidDPoP)
+		assert.Contains(t, err.Error(), "invalid htu claim")
+	})
+	t.Run("non-string htu claim", func(t *testing.T) {
+		dpopToken := New(*request)
+		_ = dpopToken.Token.Set(HTUKey, 42)
+		dpopString, _ := dpopToken.Sign("kid", keyPair, alg)
+
+		_, err := Parse(dpopString)
+
+		require.Error(t, err)
+		assert.EqualError(t, err, "invalid DPoP token: invalid htu claim")
+	})
+	t.Run("non-string htm claim", func(t *testing.T) {
+		dpopToken := New(*request)
+		_ = dpopToken.Token.Set(HTMKey, 42)
+		dpopString, _ := dpopToken.Sign("kid", keyPair, alg)
+
+		_, err := Parse(dpopString)
+
+		require.Error(t, err)
+		assert.EqualError(t, err, "invalid DPoP token: invalid htm claim")
+	})
 }
 
 func TestDPoP_Match(t *testing.T) {