Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: sanitize tokens for the blacklist #352

Merged
merged 1 commit into from
Jun 5, 2024
Merged

fix: sanitize tokens for the blacklist #352

merged 1 commit into from
Jun 5, 2024

Conversation

abc3
Copy link
Member

@abc3 abc3 commented Jun 5, 2024

No description provided.

@abc3 abc3 requested a review from delgado3d June 5, 2024 14:55
@abc3 abc3 requested a review from a team as a code owner June 5, 2024 14:55
filipecabaco
filipecabaco reviewed Jun 5, 2024
View reviewed changes
lib/supavisor_web/router.ex
@@ -89,6 +89,7 @@ defmodule SupavisorWeb.Router do
blocklist = Application.fetch_env!(:supavisor, blocklist_key)

with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
token <- Regex.replace(~r/\s|\n/, URI.decode(token), ""),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not

blocklist =
      Application.get_env(:realtime, blocklist_key, [])
      |> Enum.map(&String.trim/1)
      |> Enum.map(&String.downcase/1)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I repeated the same approach as in JwtAuthToken to ensure we manipulate the same string

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

supavisor/lib/supavisor/jwt.ex

Line 39 in d6897df

Regex.replace(~r/\s|\n/, URI.decode(token), "")

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but why URI decode it? really curious about it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can hide some symbols via HTML characters, which token sanitization can skip but the JWT library can decode

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL 👀 will copy pasta it into realtime 🍝

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we do the same to the blocklist tokens?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess not, because we can check that they are without spaces or new lines?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wdyt?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair... fair...

@abc3 abc3 merged commit d0a3f61 into main Jun 5, 2024
2 checks passed
@abc3 abc3 deleted the fix/token_blocklist branch June 5, 2024 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@filipecabaco filipecabaco filipecabaco approved these changes

@delgado3d delgado3d Awaiting requested review from delgado3d

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abc3 @filipecabaco