You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/11/03 08:59:37 UTC

[GitHub] [apisix] tokers opened a new issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

tokers opened a new issue #5411:
URL: https://github.com/apache/apisix/issues/5411


   ### Issue description
   
   Hi, there
   
   Currently, the basic-auth plugin uses a regex pattern to fetch the part from the `Authorization` header, just like the following:
   
   https://github.com/apache/apisix/blob/fc5f74709b44f6508ab89433e13b7613908fac5f/apisix/plugins/basic-auth.lua#L77-L83
   
   But the code base doesn't validate the capture group number from the regex pattern, thus, if the `Authorization` header is abnormal (say, it doesn't start with the key word `Basic`), line 83 will cause the current Lua coroutine aborting and the request will be terminated with status code `500`.
   
   ### Environment
   
   - apisix version (cmd: `apisix version`): master branch
   - OS (cmd: `uname -a`):
   - OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
   - etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
   - apisix-dashboard version, if have:
   - the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
   - luarocks version, if the issue is about installation (cmd: `luarocks --version`):
   
   
   ### Steps to reproduce
   
   1. Configure a Route and enable the `basic-auth` plugin;
   2. Configure a Consumer and enable the `basic-auth` plugin;
   3. Send requests with an invalid `Authorization Header` to Apache APISIX, let it hit the route created in step 1
   
   ### Actual result
   
   Response with status `500`, and some error logs printed.
   
   
   ### Error log
   
   ```
   2021/11/03 08:50:58 [info] 35#35: *37581 [lua] basic-auth.lua:127: phase_func(): plugin access phase, conf: {"disable":false}, client: 172.17.0.1, server: _, request: "GET /status/303 HTTP/1.1", host: "local2.httpbin.org"
   2021/11/03 08:50:58 [error] 35#35: *37581 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/plugins/basic-auth.lua:83: attempt to index local 'm' (a nil value)
   stack traceback:
   coroutine 0:
           /usr/local/apisix/apisix/plugins/basic-auth.lua: in function 'create_obj_fun'
           /usr/local/apisix/apisix/core/lrucache.lua:92: in function 'lrucache'
           /usr/local/apisix/apisix/plugins/basic-auth.lua:99: in function 'extract_auth_header'
           /usr/local/apisix/apisix/plugins/basic-auth.lua:136: in function 'phase_func'
           /usr/local/apisix/apisix/plugin.lua:683: in function 'run_plugin'
           /usr/local/apisix/apisix/init.lua:448: in function 'http_access_phase'
           access_by_lua(nginx.conf:250):2: in main chunk, client: 172.17.0.1, server: _, request: "GET /status/303 HTTP/1.1", host: "local2.httpbin.org"
   ```
   
   ### Expected result
   
   Should return `401` or `200`, and without any related error logs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #5411:
URL: https://github.com/apache/apisix/issues/5411#issuecomment-958778277


   It could be solved with this:
   https://github.com/apache/apisix/blob/10833592282787352ee9960ca1c5593985b785bb/apisix/plugins/ldap-auth.lua#L99


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #5411:
URL: https://github.com/apache/apisix/issues/5411


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #5411:
URL: https://github.com/apache/apisix/issues/5411#issuecomment-960422523


   @leslie-tsang 
   Would you have a try?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #5411:
URL: https://github.com/apache/apisix/issues/5411#issuecomment-958778277


   It could be solved with this:
   https://github.com/apache/apisix/blob/10833592282787352ee9960ca1c5593985b785bb/apisix/plugins/ldap-auth.lua#L99


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #5411:
URL: https://github.com/apache/apisix/issues/5411


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #5411:
URL: https://github.com/apache/apisix/issues/5411#issuecomment-958778277


   It could be solved with this:
   https://github.com/apache/apisix/blob/10833592282787352ee9960ca1c5593985b785bb/apisix/plugins/ldap-auth.lua#L99


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #5411:
URL: https://github.com/apache/apisix/issues/5411#issuecomment-958778277


   It could be solved with this:
   https://github.com/apache/apisix/blob/10833592282787352ee9960ca1c5593985b785bb/apisix/plugins/ldap-auth.lua#L99


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #5411: bug: basic-auth plugin will cause the request abort if Authorization header value is invalid

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #5411:
URL: https://github.com/apache/apisix/issues/5411


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org