You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/04/18 11:14:39 UTC
[apisix] branch master updated: fix: do not expose internal errors to the client (#6859)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 153f385f3 fix: do not expose internal errors to the client (#6859)
153f385f3 is described below
commit 153f385f3516237aa6427127e014cbd850136980
Author: soulbird <zh...@outlook.com>
AuthorDate: Mon Apr 18 19:14:31 2022 +0800
fix: do not expose internal errors to the client (#6859)
---
apisix/plugins/basic-auth.lua | 3 ++-
apisix/plugins/ldap-auth.lua | 5 +++--
apisix/plugins/wolf-rbac.lua | 12 +++++-------
t/plugin/basic-auth.t | 18 +++++++++++++++---
t/plugin/ldap-auth.t | 18 +++++++++++++++---
t/plugin/wolf-rbac.t | 40 +++++++++++++++++++++++++++++++++-------
6 files changed, 73 insertions(+), 23 deletions(-)
diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua
index 83519bf81..32c0e0445 100644
--- a/apisix/plugins/basic-auth.lua
+++ b/apisix/plugins/basic-auth.lua
@@ -151,7 +151,8 @@ function _M.rewrite(conf, ctx)
local username, password, err = extract_auth_header(auth_header)
if err then
- return 401, { message = err }
+ core.log.warn(err)
+ return 401, { message = "Invalid authorization in request" }
end
-- 2. get user info from consumer plugin
diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua
index 6ea32f00d..3fce91141 100644
--- a/apisix/plugins/ldap-auth.lua
+++ b/apisix/plugins/ldap-auth.lua
@@ -131,7 +131,8 @@ function _M.rewrite(conf, ctx)
local user, err = extract_auth_header(auth_header)
if err then
- return 401, { message = err }
+ core.log.warn(err)
+ return 401, { message = "Invalid authorization in request" }
end
-- 2. try authenticate the user against the ldap server
@@ -146,7 +147,7 @@ function _M.rewrite(conf, ctx)
-- 3. Retrieve consumer for authorization plugin
local consumer_conf = consumer_mod.plugin(plugin_name)
if not consumer_conf then
- return 401, {message = "Missing related consumer"}
+ return 401, { message = "Missing related consumer" }
end
local consumers = lrucache("consumers_key", consumer_conf.conf_version,
create_consumer_cache, consumer_conf)
diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua
index b429c7b5c..16ed736cd 100644
--- a/apisix/plugins/wolf-rbac.lua
+++ b/apisix/plugins/wolf-rbac.lua
@@ -23,7 +23,6 @@ local ngx_re = require("ngx.re")
local http = require("resty.http")
local ipairs = ipairs
local ngx = ngx
-local tostring = tostring
local rawget = rawget
local rawset = rawset
local setmetatable = setmetatable
@@ -326,7 +325,7 @@ function _M.rewrite(conf, ctx)
core.log.error(" check_url_permission(",
core.json.delay_encode(perm_item),
") failed, res: ",core.json.delay_encode(res))
- return 401, fail_response(res.err,
+ return 401, fail_response("Invalid user permission",
{ username = username, nickname = nickname }
)
end
@@ -365,7 +364,7 @@ local function get_consumer(appid)
if not consumer then
core.log.info("request appid [", appid, "] not found")
core.response.exit(400,
- fail_response("appid [" .. tostring(appid) .. "] not found")
+ fail_response("appid not found")
)
end
return consumer
@@ -386,7 +385,7 @@ local function request_to_wolf_server(method, uri, headers, body)
if not res then
core.log.error("request [", request_debug, "] failed! err: ", err)
return core.response.exit(500,
- fail_response("request to wolf-server failed! " .. tostring(err))
+ fail_response("request to wolf-server failed!")
)
end
core.log.info("request [", request_debug, "] status: ", res.status,
@@ -396,8 +395,7 @@ local function request_to_wolf_server(method, uri, headers, body)
core.log.error("request [", request_debug, "] failed! status: ",
res.status)
return core.response.exit(500,
- fail_response("request to wolf-server failed! status:"
- .. tostring(res.status))
+ fail_response("request to wolf-server failed!")
)
end
local body, err = json.decode(res.body)
@@ -408,7 +406,7 @@ local function request_to_wolf_server(method, uri, headers, body)
if not body.ok then
core.log.error("request [", request_debug, "] failed! response body:",
core.json.delay_encode(body))
- return core.response.exit(200, fail_response(body.reason))
+ return core.response.exit(200, fail_response("request to wolf-server failed!"))
end
core.log.info("request [", request_debug, "] success! response body:",
diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t
index f8cf5ab71..5d626edd0 100644
--- a/t/plugin/basic-auth.t
+++ b/t/plugin/basic-auth.t
@@ -157,7 +157,11 @@ GET /hello
Authorization: Bad_header YmFyOmJhcgo=
--- error_code: 401
--- response_body
-{"message":"Invalid authorization header format"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Invalid authorization header format/
+--- grep_error_log_out
+Invalid authorization header format
--- no_error_log
[error]
@@ -170,7 +174,11 @@ GET /hello
Authorization: Basic aca_a
--- error_code: 401
--- response_body
-{"message":"Failed to decode authentication header: aca_a"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Failed to decode authentication header: aca_a/
+--- grep_error_log_out
+Failed to decode authentication header: aca_a
--- no_error_log
[error]
@@ -183,7 +191,11 @@ GET /hello
Authorization: Basic YmFy
--- error_code: 401
--- response_body
-{"message":"Split authorization err: invalid decoded data: bar"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Split authorization err: invalid decoded data: bar/
+--- grep_error_log_out
+Split authorization err: invalid decoded data: bar
--- no_error_log
[error]
diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t
index f100108fb..9ecac330f 100644
--- a/t/plugin/ldap-auth.t
+++ b/t/plugin/ldap-auth.t
@@ -156,7 +156,11 @@ GET /hello
Authorization: Bad_header Zm9vOmZvbwo=
--- error_code: 401
--- response_body
-{"message":"Invalid authorization header format"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Invalid authorization header format/
+--- grep_error_log_out
+Invalid authorization header format
@@ -167,7 +171,11 @@ GET /hello
Authorization: Basic aca_a
--- error_code: 401
--- response_body
-{"message":"Failed to decode authentication header: aca_a"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Failed to decode authentication header: aca_a/
+--- grep_error_log_out
+Failed to decode authentication header: aca_a
@@ -178,7 +186,11 @@ GET /hello
Authorization: Basic Zm9v
--- error_code: 401
--- response_body
-{"message":"Split authorization err: invalid decoded data: foo"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Split authorization err: invalid decoded data: foo/
+--- grep_error_log_out
+Split authorization err: invalid decoded data: foo
diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t
index 67aaacd70..c76c7d2d0 100644
--- a/t/plugin/wolf-rbac.t
+++ b/t/plugin/wolf-rbac.t
@@ -211,7 +211,7 @@ appid=not-found&username=admin&password=123456
Content-Type: application/x-www-form-urlencoded
--- error_code: 400
--- response_body_like eval
-qr/appid \[not-found\] not found/
+qr/appid not found/
--- no_error_log
[error]
@@ -224,7 +224,11 @@ appid=wolf-rbac-app&password=123456
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_USERNAME_MISSING/
+--- grep_error_log_out eval
qr/ERR_USERNAME_MISSING/
@@ -236,7 +240,11 @@ appid=wolf-rbac-app&username=admin
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_PASSWORD_MISSING/
+--- grep_error_log_out eval
qr/ERR_PASSWORD_MISSING/
@@ -248,7 +256,11 @@ appid=wolf-rbac-app&username=not-found&password=123456
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_USER_NOT_FOUND/
+--- grep_error_log_out eval
qr/ERR_USER_NOT_FOUND/
@@ -260,7 +272,11 @@ appid=wolf-rbac-app&username=admin&password=wrong-password
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_PASSWORD_ERROR/
+--- grep_error_log_out eval
qr/ERR_PASSWORD_ERROR/
@@ -330,7 +346,13 @@ GET /hello1
--- more_headers
x-rbac-token: V1#wolf-rbac-app#wolf-rbac-token
--- response_body
-{"message":"no permission to access"}
+{"message":"Invalid user permission"}
+--- grep_error_log eval
+qr/no permission to access */
+--- grep_error_log_out
+no permission to access
+no permission to access
+no permission to access
@@ -449,7 +471,11 @@ PUT /apisix/plugin/wolf-rbac/change_pwd
Content-Type: application/json
Cookie: x-rbac-token=V1#wolf-rbac-app#wolf-rbac-token
--- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_OLD_PASSWORD_INCORRECT/
+--- grep_error_log_out eval
qr/ERR_OLD_PASSWORD_INCORRECT/