[http_authorization] Check for nil value when decode based64 value

Performing a match on a nil value results in an exception being thrown and bypassing the entire authorization validation process.
3scale · Oct 21, 2024 · 3107636 · 3107636
1 parent 7fe7ac6
commit 3107636
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/gateway/src/resty/http_authorization.lua b/gateway/src/resty/http_authorization.lua
@@ -9,8 +9,11 @@ local _M = {
 local mt = { __index = _M }
 
 function _M.parsers.Basic(param)
+  local userid, password
   local user_pass = ngx.decode_base64(param)
-  local userid, password = match(user_pass, '^(.*):(.*)$')
+  if user_pass then
+    userid, password = match(user_pass, '^(.*):(.*)$')
+  end
 
   return {
     userid = userid,

diff --git a/spec/resty/http_authorization_spec.lua b/spec/resty/http_authorization_spec.lua
@@ -60,6 +60,13 @@ describe('HTTP Authorization', function()
         assert.equal('', auth.userid)
         assert.equal('pass', auth.password)
       end)
+
+      it('do not panic with invalid header', function()
+        local auth = authorization.new('Basic !123!')
+
+        assert.equal(nil, auth.userid)
+        assert.equal(nil, auth.password)
+      end)
     end)
 
     describe('Bearer', function()