You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/11/11 10:10:16 UTC
[GitHub] [apisix] Firstsawyou opened a new issue #2710: bug(hmac-auth): when the request contains escape characters, the signature verification fails
Firstsawyou opened a new issue #2710:
URL: https://github.com/apache/apisix/issues/2710
### Issue description
In different programming language environments, the escape characters of parameters in `uri` have the difference between uppercase and lowercase letters, and they all represent the same characters. In the `hmac-auth` plugin, the parameters in `uri` are uniformly escaped with `escape_uri`, which will convert lowercase letters in escaped characters to uppercase letters. Eventually, the signature in the request will be inconsistent with the signature generated by the `hmac-auth` plugin, and the signature verification will fail.
The `escape_uri` operation should be removed from the `hmac-auth` plugin, then this problem will be resolved.
### Environment
* apisix version (cmd: `apisix version`): 2.0
* OS:
Example:
1.Add a line of logging code below line 204 of the `hmac-auth` plugin to print the characters escaped by `escape_uri`.
```
core.log.info("query: ", escape_uri(key) .. "=" .. escape_uri(param))
```
<img width="759" alt="截屏2020-11-11 下午5 19 10" src="https://user-images.githubusercontent.com/52862365/98793152-71c35400-2442-11eb-9b7e-e553e24b5371.png">
2.Add test case with lowercase letter escape characters in the `hmac-auth.t` file.
```
=== TEST 35: test escape_uri
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"hmac-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 36: test escape_uri
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "james",
"plugins": {
"hmac-auth": {
"access_key": "my-access-key4",
"secret_key": "my-secret-key4"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 37: The escape characters `%3e` and `%2c` with lowercase letters in the uri parameter
--- config
location /t {
content_by_lua_block {
local ngx_time = ngx.time
local ngx_http_time = ngx.http_time
local core = require("apisix.core")
local t = require("lib.test_admin")
local hmac = require("resty.hmac")
local ngx_re = require("ngx.re")
local ngx_encode_base64 = ngx.encode_base64
local data = {cert = "ssl_cert", key = "ssl_key", sni = "test.com"}
local req_body = core.json.encode(data)
req_body = req_body or ""
local secret_key = "my-secret-key4"
local timestamp = ngx_time()
local gmt = ngx_http_time(timestamp)
local access_key = "my-access-key4"
local custom_header_a = "asld$%dfasf"
local custom_header_b = "23879fmsldfk"
local signing_string = {
"GET",
"/hello",
"name=rose%3ehello&name2=james%2chello",
access_key,
gmt,
"x-custom-header-a:" .. custom_header_a,
"x-custom-header-b:" .. custom_header_b
}
signing_string = core.table.concat(signing_string, "\n") .. "\n"
core.log.info("signing_string:", signing_string)
local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
core.log.info("signature:", ngx_encode_base64(signature))
local headers = {}
headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
headers["Date"] = gmt
headers["X-HMAC-ACCESS-KEY"] = access_key
headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b"
headers["x-custom-header-a"] = custom_header_a
headers["x-custom-header-b"] = custom_header_b
local code, body = t.test('/hello?name=rose%3ehello&name2=james%2chello',
ngx.HTTP_GET,
req_body,
nil,
headers
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
```
3.Test case execution result
<img width="718" alt="截屏2020-11-11 下午6 02 39" src="https://user-images.githubusercontent.com/52862365/98798038-5fe4af80-2448-11eb-922f-6302031cfcaf.png">
View log:
<img width="564" alt="截屏2020-11-11 下午6 06 34" src="https://user-images.githubusercontent.com/52862365/98798322-b8b44800-2448-11eb-96e1-54b911c7bccd.png">
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2710: bug(hmac-auth): when the request contains escape characters, the signature verification fails
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2710:
URL: https://github.com/apache/apisix/issues/2710#issuecomment-727191578
I can't accept such a break change. This change will break all clients who work well now and it is not easy to upgrade every client immediately. **This is not unfriendly, this is a disaster.**
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #2710: bug(hmac-auth): when the request contains escape characters, the signature verification fails
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #2710:
URL: https://github.com/apache/apisix/issues/2710
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on issue #2710: bug(hmac-auth): when the request contains escape characters, the signature verification fails
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on issue #2710:
URL: https://github.com/apache/apisix/issues/2710#issuecomment-727183559
In the described solution, in order to maintain backward compatibility, `escape_uri` is enabled by default (enable_encode is true). I think it would be better to turn off `escape_uri` (enable_encode is false) by default, so that there will be no problems like the title. But this will be unfriendly to users who already use this plugin. We need to discuss.
@gxthrj @membphis @moonming @nic-chen
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] gxthrj commented on issue #2710: bug(hmac-auth): when the request contains escape characters, the signature verification fails
Posted by GitBox <gi...@apache.org>.
gxthrj commented on issue #2710:
URL: https://github.com/apache/apisix/issues/2710#issuecomment-727218688
I think it is ok, new filed `enable_encode ` in `schema` is optional. And the default value is true, which consistent with the current behavior of `hmac-auth`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on issue #2710: bug(hmac-auth): when the request contains escape characters, the signature verification fails
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on issue #2710:
URL: https://github.com/apache/apisix/issues/2710#issuecomment-725333158
Assigned to me.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org