OAuth Security Flaw: Unencoded Authorization Code Opens Door to Parameter Injection

A critical OAuth implementation flaw has been identified where an authorization code is directly interpolated into a token exchange URL without proper URL encoding. This vulnerability, located in `src/asfquart/generics.py`, allows an authorization code containing URL-special characters (&, =, #, %) to malform the request. An attacker with control over the code parameter could potentially inject additional query parameters—such as `code=legit_code&client_id=other_client`—into the exchange request, confusing server-side logic or bypassing validation checks.

While OAuth authorization servers typically issue alphanumeric-only codes, this practice violates core defensive programming principles. The specific line of code (`rv = await session.get(OAUTH_URL_CALLBACK % code)`) fails to sanitize the `code` variable before inserting it into the `OAUTH_URL_CALLBACK` template. This creates a direct vector for parameter injection if the authorization server's code format ever changes or if a non-compliant server is used, undermining the security of the entire token exchange flow.

The vulnerability, flagged under ASVS Levels L1 and L2, represents a systemic failure in input validation. It exposes the application to risks where injected parameters could manipulate client identification, redirect URIs, or grant types on the token endpoint. This flaw serves as a stark reminder that security cannot rely on assumed server behavior; robust client-side validation and encoding are non-negotiable requirements for any OAuth integration.