From e358d20bd16b987ac1cdc383382f722d77c55d12 Mon Sep 17 00:00:00 2001
From: Pat Losoponkul <pat.losoponkul@iohk.io>
Date: Fri, 27 Sep 2024 16:13:06 +0700
Subject: [PATCH] fix: disallow relative url for issuer auth server

Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
---
 .../oid4vci/controller/CredentialIssuerController.scala       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cloud-agent/service/server/src/main/scala/org/hyperledger/identus/oid4vci/controller/CredentialIssuerController.scala b/cloud-agent/service/server/src/main/scala/org/hyperledger/identus/oid4vci/controller/CredentialIssuerController.scala
index 69300821ec..20c497c309 100644
--- a/cloud-agent/service/server/src/main/scala/org/hyperledger/identus/oid4vci/controller/CredentialIssuerController.scala
+++ b/cloud-agent/service/server/src/main/scala/org/hyperledger/identus/oid4vci/controller/CredentialIssuerController.scala
@@ -127,8 +127,10 @@ case class CredentialIssuerControllerImpl(
 
   private def parseURL(url: String): IO[ErrorResponse, URL] =
     ZIO
-      .attempt(URI.create(url).toURL())
+      .attempt(URI.create(url))
       .mapError(ue => badRequest(detail = Some(s"Invalid URL: $url")))
+      .filterOrFail(_.isAbsolute())(badRequest(detail = Some(s"Relative URL '$url' is not allowed")))
+      .map(_.toURL())
 
   private def baseCredentialIssuerUrl(issuerId: UUID): URL =
     URI(s"$agentBaseUrl/oid4vci/issuers/$issuerId").toURL()