Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Prevent connections from subscribing to a group that's actually a valid connection ID or Hub name #1320

Closed
DamianEdwards opened this Issue · 1 comment

3 participants

@DamianEdwards

If an application enables auto rejoining of groups, and an attacker obtains a valid connection ID, they can craft a request that gets them subscribed to that connection ID by passing it as a group name instead (as group names are not validated by default if auto rejoin groups is enabled). The same thing can be done to get subscribed to a valid hub name, regardless of whether the hub has authorization enabled or not.

To close this hole, we should prefix all group names and all hub names with a hard-coded value (e.g. "g-" and "h-") before they are used as signals. All API that exposes group/hubs names should not include the prefix, the prefix is only ever added when accepting a non-prefixed group/hub name, before passing it to the message bus.

This makes it impossible for a value to passed in via the groups querystring from a client on reconnect that will be turned into a valid connection ID or hub name as it will always be prefixed with a "g-" which cannot match a connection ID (which are GUIDs) or a hub name (which would start at "h-").

@davidfowl davidfowl was assigned
@davidfowl davidfowl referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@davidfowl davidfowl referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@davidfowl davidfowl referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@davidfowl davidfowl referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@davidfowl davidfowl referenced this issue from a commit
@davidfowl davidfowl Prefix signals to avoid collisions and security issues.
- Prefix all signals with a unique prefix.
- Changed various apis to IE<T> to IList<T>
- Updated tests.

#1320
0dc7cfb
@Xiaohongt Xiaohongt was assigned
@Xiaohongt
Collaborator

verified, log new issue #1326 for group from PersistentConnectionContext

@Xiaohongt Xiaohongt closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.