You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/11/04 06:14:02 UTC

[GitHub] [apisix] leslie-tsang opened a new pull request #5419: fix: add handler for invalid basic auth header values

leslie-tsang opened a new pull request #5419:
URL: https://github.com/apache/apisix/pull/5419


   ### What this PR does / why we need it:
   <!--- Why is this change required? What problem does it solve? -->
   <!--- If it fixes an open issue, please link to the issue here. -->
   Ref to #5411 
   ### Pre-submission checklist:
   
   <!--
   Please follow the requirements:
   1. Use Draft if the PR is not ready to be reviewed
   2. Test is required for the feat/fix PR, unless you have a good reason
   3. Doc is required for the feat PR
   4. Use a new commit to resolve review instead of `push -f`
   5. Use "request review" to notify the reviewer once you have resolved the review
   -->
   
   * [x] Did you explain what problem does this PR solve? Or what new features have been added?
   * [x] Have you added corresponding test cases?
   * [ ] Have you modified the corresponding document?
   * [x] Is this PR backward compatible? **If it is not backward compatible, please discuss on the [mailing list](https://github.com/apache/apisix/tree/master#community) first**
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742779132



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,23 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])
 
+        if not decoded then
+            return nil, "Failed to decode authentication header: " .. m[1]
+        end
+

Review comment:
       😂 `aca` don't trigger as well, str witl `_` like `aca_a` work as expected. 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander merged pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander merged pull request #5419:
URL: https://github.com/apache/apisix/pull/5419


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742604963



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,23 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])
 
+        if not decoded then
+            return nil, "Failed to decode authentication header: " .. m[1]
+        end
+

Review comment:
       @spacewander 
   Is there a test case can hit this scenario ?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742598124



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,19 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])

Review comment:
       Oh, I know what you mean. No, you point to the wrong method. See https://github.com/openresty/lua-resty-core/blob/985eb5b323468effaa66deb5cbd4f800b99834cf/lib/resty/core/base64.lua#L107




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742601365



##########
File path: t/plugin/basic-auth.t
##########
@@ -163,7 +163,46 @@ GET /hello
 
 
 
-=== TEST 6: verify, invalid username
+=== TEST 6: verify, invalid basic authorization header
+--- request
+GET /hello
+--- more_headers
+Authorization: Bad_header YmFyOmJhcgo=
+--- error_code: 401
+--- response_body
+{"message":"Invalid authorization header format"}
+--- no_error_log
+[error]
+
+
+
+=== TEST 7: verify, invalid authorization value (bad base64 str)
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic aaaa

Review comment:
       aaaa is valid base64 str




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742612009



##########
File path: t/plugin/basic-auth.t
##########
@@ -163,7 +163,46 @@ GET /hello
 
 
 
-=== TEST 6: verify, invalid username
+=== TEST 6: verify, invalid basic authorization header
+--- request
+GET /hello
+--- more_headers
+Authorization: Bad_header YmFyOmJhcgo=
+--- error_code: 401
+--- response_body
+{"message":"Invalid authorization header format"}
+--- no_error_log
+[error]
+
+
+
+=== TEST 7: verify, invalid authorization value (bad base64 str)
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic aaaa

Review comment:
       I will fix it.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742572618



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,19 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])

Review comment:
       @spacewander seems decode_base64 always return a `ffi_string`
   https://github.com/openresty/lua-resty-core/blob/985eb5b323468effaa66deb5cbd4f800b99834cf/lib/resty/core/base64.lua#L60




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander merged pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander merged pull request #5419:
URL: https://github.com/apache/apisix/pull/5419


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742596370



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,19 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])

Review comment:
       `ffi_string` is not a type, but a function returns a Lua string




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742647685



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,23 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])
 
+        if not decoded then
+            return nil, "Failed to decode authentication header: " .. m[1]
+        end
+

Review comment:
       You can pass an invalid str like aca




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on a change in pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on a change in pull request #5419:
URL: https://github.com/apache/apisix/pull/5419#discussion_r742779132



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -80,12 +80,23 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])
 
+        if not decoded then
+            return nil, "Failed to decode authentication header: " .. m[1]
+        end
+

Review comment:
       😂 `aca` don't trigger as well, str with `_` like `aca_a` work as expected. 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander merged pull request #5419: fix: add handler for invalid basic auth header values

Posted by GitBox <gi...@apache.org>.

spacewander merged pull request #5419:
URL: https://github.com/apache/apisix/pull/5419


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org