Skip to content

Commit

Permalink
[http_authorization] Check for nil value when decode based64 value
Browse files Browse the repository at this point in the history
Performing a match on a nil value results in an exception being thrown
and bypassing the entire authorization validation process.
  • Loading branch information
tkan145 committed Nov 6, 2024
1 parent 03ae56f commit 66548bc
Show file tree
Hide file tree
Showing 4 changed files with 537 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).

- Fixed CVE-2023-44487 (HTTP/2 Rapid Reset) [PR #1417](https://github.com/3scale/apicast/pull/1417) [THREESCALE-10224](https://issues.redhat.com/browse/THREESCALE-10224)

- Fixed APIcast panic when parsing invalid base64 encoded value [PR #1505](https://github.com/3scale/APIcast/pull/1505) [THEESCALE-11435](https://issues.redhat.com/browse/THREESCALE-11435)

### Added

- Detect number of CPU shares when running on Cgroups V2 [PR #1410](https://github.com/3scale/apicast/pull/1410) [THREESCALE-10167](https://issues.redhat.com/browse/THREESCALE-10167)
Expand Down
5 changes: 4 additions & 1 deletion gateway/src/resty/http_authorization.lua
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,11 @@ local _M = {
local mt = { __index = _M }

function _M.parsers.Basic(param)
local userid, password
local user_pass = ngx.decode_base64(param)
local userid, password = match(user_pass, '^(.*):(.*)$')
if user_pass then
userid, password = match(user_pass, '^(.*):(.*)$')
end

return {
userid = userid,
Expand Down
7 changes: 7 additions & 0 deletions spec/resty/http_authorization_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,13 @@ describe('HTTP Authorization', function()
assert.equal('', auth.userid)
assert.equal('pass', auth.password)
end)

it('do not panic with invalid header', function()
local auth = authorization.new('Basic !123!')

assert.equal(nil, auth.userid)
assert.equal(nil, auth.password)
end)
end)

describe('Bearer', function()
Expand Down
Loading

0 comments on commit 66548bc

Please sign in to comment.