Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: auth bypass #5

Closed
wants to merge 1 commit into from
Closed

fix: auth bypass #5

wants to merge 1 commit into from

Conversation

shreemaan-abhishek
Copy link
Member

This PR fixes the authentication bypass issue in cdbattags/lua-resty-jwt#61.

This was referenced Jul 10, 2023
Closed
Closed
monkeyDluffy6017
monkeyDluffy6017 reviewed Jul 13, 2023
View reviewed changes
lib/resty/jwt.lua
@@ -284,6 +284,7 @@ local function parse_jwe(self, preshared_key, encoded_header, encoded_encrypted_
local iv = _M:jwt_decode(encoded_iv)
local signature_or_tag = _M:jwt_decode(encoded_auth_tag)
local basic_jwe = {
typ = str_const.JWE,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you add this, seems meanless

monkeyDluffy6017
monkeyDluffy6017 reviewed Jul 13, 2023
View reviewed changes
lib/resty/jwt.lua
Comment on lines +835 to +838
if alg == nil then
jwt_obj[str_const.reason] = "No algorithm supplied"
return jwt_obj
end
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should not check like this, there is already corresponding judgement logic below

  else
    jwt_obj[str_const.reason] = "Unsupported algorithm " .. alg
  end

We just fix the bug when alg == nil

  else
    jwt_obj[str_const.reason] = "Unsupported algorithm " .. (alg or "nil")
  end

monkeyDluffy6017
monkeyDluffy6017 reviewed Jul 13, 2023
View reviewed changes
lib/resty/jwt.lua
Comment on lines +554 to 556
if jwt_obj.typ == str_const.JWE or (jwt_obj.typ == nil and (typ == str_const.JWE or jwt_obj.header.enc)) then
return sign_jwe(self, secret_key, jwt_obj)
end
Copy link

@monkeyDluffy6017 monkeyDluffy6017 Jul 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way to check if the obj is jwe is not correct. The jwe obj has five dot in the body, i think checking this is more appropriate

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And the function sign_jwe is not correct too, you should refactor the function

monkeyDluffy6017
monkeyDluffy6017 reviewed Jul 13, 2023
View reviewed changes
lib/resty/jwt.lua
@@ -322,6 +323,7 @@ local function parse_jwt(encoded_header, encoded_payload, signature)
end

local basic_jwt = {
typ = str_const.JWT,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

@Sn0rt Sn0rt closed this Jul 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@monkeyDluffy6017 monkeyDluffy6017 monkeyDluffy6017 left review comments

@Sn0rt Sn0rt Sn0rt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shreemaan-abhishek @Sn0rt @monkeyDluffy6017