You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2021/11/05 01:27:56 UTC
[apisix] branch master updated: fix: add handler for invalid basic
auth header values (#5419)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new eab5606 fix: add handler for invalid basic auth header values (#5419)
eab5606 is described below
commit eab5606426bb775358469191aa78c2a7d9cebba9
Author: leslie <59...@users.noreply.github.com>
AuthorDate: Fri Nov 5 09:27:38 2021 +0800
fix: add handler for invalid basic auth header values (#5419)
---
apisix/plugins/basic-auth.lua | 13 +++++++++-
t/plugin/basic-auth.t | 57 ++++++++++++++++++++++++++++++++++++-------
2 files changed, 60 insertions(+), 10 deletions(-)
diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua
index 1df25da..5e78056 100644
--- a/apisix/plugins/basic-auth.lua
+++ b/apisix/plugins/basic-auth.lua
@@ -80,12 +80,23 @@ local function extract_auth_header(authorization)
return nil, err
end
+ if not m then
+ return nil, "Invalid authorization header format"
+ end
+
local decoded = ngx.decode_base64(m[1])
+ if not decoded then
+ return nil, "Failed to decode authentication header: " .. m[1]
+ end
+
local res
res, err = ngx_re.split(decoded, ":")
if err then
- return nil, "split authorization err:" .. err
+ return nil, "Split authorization err:" .. err
+ end
+ if #res < 2 then
+ return nil, "Split authorization err: invalid decoded data: " .. decoded
end
obj.username = ngx.re.gsub(res[1], "\\s+", "", "jo")
diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t
index 79078b1..a780f3b 100644
--- a/t/plugin/basic-auth.t
+++ b/t/plugin/basic-auth.t
@@ -163,7 +163,46 @@ GET /hello
-=== TEST 6: verify, invalid username
+=== TEST 6: verify, invalid basic authorization header
+--- request
+GET /hello
+--- more_headers
+Authorization: Bad_header YmFyOmJhcgo=
+--- error_code: 401
+--- response_body
+{"message":"Invalid authorization header format"}
+--- no_error_log
+[error]
+
+
+
+=== TEST 7: verify, invalid authorization value (bad base64 str)
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic aca_a
+--- error_code: 401
+--- response_body
+{"message":"Failed to decode authentication header: aca_a"}
+--- no_error_log
+[error]
+
+
+
+=== TEST 8: verify, invalid authorization value (no password)
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic YmFy
+--- error_code: 401
+--- response_body
+{"message":"Split authorization err: invalid decoded data: bar"}
+--- no_error_log
+[error]
+
+
+
+=== TEST 9: verify, invalid username
--- request
GET /hello
--- more_headers
@@ -176,7 +215,7 @@ Authorization: Basic YmFyOmJhcgo=
-=== TEST 7: verify, invalid password
+=== TEST 10: verify, invalid password
--- request
GET /hello
--- more_headers
@@ -189,7 +228,7 @@ Authorization: Basic Zm9vOmZvbwo=
-=== TEST 8: verify
+=== TEST 11: verify
--- request
GET /hello
--- more_headers
@@ -203,7 +242,7 @@ find consumer foo
-=== TEST 9: invalid schema, only one field `username`
+=== TEST 12: invalid schema, only one field `username`
--- config
location /t {
content_by_lua_block {
@@ -234,7 +273,7 @@ GET /t
-=== TEST 10: invalid schema, not field given
+=== TEST 13: invalid schema, not field given
--- config
location /t {
content_by_lua_block {
@@ -264,7 +303,7 @@ qr/\{"error_msg":"invalid plugins configuration: failed to check the configurati
-=== TEST 11: invalid schema, not a table
+=== TEST 14: invalid schema, not a table
--- config
location /t {
content_by_lua_block {
@@ -293,7 +332,7 @@ GET /t
-=== TEST 12: get the default schema
+=== TEST 15: get the default schema
--- config
location /t {
content_by_lua_block {
@@ -315,7 +354,7 @@ GET /t
-=== TEST 13: get the schema by schema_type
+=== TEST 16: get the schema by schema_type
--- config
location /t {
content_by_lua_block {
@@ -337,7 +376,7 @@ GET /t
-=== TEST 14: get the schema by error schema_type
+=== TEST 17: get the schema by error schema_type
--- config
location /t {
content_by_lua_block {