[SECURITY] Last will messages is not checked against authorization.

[mhverbakel]

The LWT is not checked for authorization.

Simple example:

const aedes = require('aedes')({ authorizePublish: (a, b, c) => c(new Error("Not allowed")) });
require('net').createServer(aedes.handle).listen(1883);

Now, from a client, connect and subscribe to "will".

From another client, connect with a last will message with topic "will". Then send a message to "test", breaking the connection (because of authorization failure).

Breaking the connection will trigger the LWT, and thus sends a message to "will", which can be seen in the other client.

[mcollina]

Would you like to send a PR for this? For future reference, it’s better to send security vulnerabilities privately.

[mhverbakel]

When should the authorization be checked then? During connect, or once the connection is broken? In the latter case, what happens if the authorization fails? Will it just ignore the message.

And if it checks during connect, what should happen if the authorization fails? Break the connection immediately? Remove the last will? And if it breaks, does it need to send anything?

[mcollina]

Check when the connection is broken, and if it does not pass authorization it’s just silently ignored.

IMHO it’s the best way because authorization between connection and disconnection might change.