【v2.1.0】access_token访问漏洞 #9830
Labels
status/duplicate
This issue or pull request already exists
Comments
|
PRs welcome. |
|
Maybe Fixed in 2.2.0 with #9380 |
|
พี่หนูต้องส่งให้ที่ไหนต่อในวันที่ อ. 10 ม.ค. 2023 17:08 lihaopeng ***@***.***> เขียนว่า:
Describe the bug
A clear and concise description of what the bug is.
nacos.io/zh-cn/docs/auth.html 按照官网;docker启动进行了如下配置 NACOS_AUTH_ENABLE=true NACOS_AUTH_TOKEN=字符串
NACOS_AUTH_TOKEN并没有生效;还是继续用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
使用jwt加密生成access_token,猜可以访问api接口
用自定义的NACOS_AUTH_TOKEN=字符串 生成的access_token访问不了
Expected behavior
A clear and concise description of what you expected to happen.
使用自定义的NACOS_AUTH_TOKEN;生成access_token能够访问api接口
Actually behavior
A clear and concise description of what you actually to happen.
还是需要使用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789;生成access_token能够访问api接口
How to Reproduce
Steps to reproduce the behavior:
shell docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true --env NACOS_AUTH_TOKEN=SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9 -p 8848:8848 nacos/nacos-server:2.1.0
Desktop (please complete the following information):
OS: [e.g. Centos]:centosVersion [e.g. nacos-server 1.3.1, nacos-client 1.3.1]:2.1.0Module [e.g. naming/config]SDK [e.g. original, spring-cloud-alibaba-nacos, dubbo]
Additional context
Add any other context about the problem here.
public static String createToken(String userName) throws IOException {
long now = System.currentTimeMillis();
Date validity;
validity = new Date(now + 18000 * 1000L);
String raw_key = "SecretKey012345678901234567890123456789012345678901234567890123456789";
String raw_key222 = "SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9";
byte[] key_byte = new BASE64Decoder().decodeBuffer(raw_key);
Claims claims = Jwts.claims().setSubject(userName);
return Jwts.builder().setClaims(claims).setExpiration(validity)
.signWith(Keys.hmacShaKeyFor(key_byte), SignatureAlgorithm.HS256).compact();
}`
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
KomachiSion
added
status/duplicate
|
鉴于持续有人问这个issue的问题, 在这里说明下, 这个不是漏洞~, 不是漏洞~ , 不是漏洞~ 我使用nacos2.1.0版本在本地启动, 只在token.key后面添加一个'a'字符,开启鉴权后启动测试, 返回接口为403错误 invalid token。
。关于pr fixed是另一个使用问题, 部分token,key会导致生成token失败,导致登录失败。对应pr有说明。 至于本issue提交的漏洞,大概率是用户自己的环境有问题,导致配置未生效。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A clear and concise description of what the bug is.
nacos.io/zh-cn/docs/auth.html 按照官网;docker启动进行了如下配置 NACOS_AUTH_ENABLE=true NACOS_AUTH_TOKEN=字符串
NACOS_AUTH_TOKEN并没有生效;还是继续用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
使用jwt加密生成access_token,猜可以访问api接口
用自定义的NACOS_AUTH_TOKEN=字符串 生成的access_token访问不了
Expected behavior
A clear and concise description of what you expected to happen.
使用自定义的NACOS_AUTH_TOKEN;生成access_token能够访问api接口
Actually behavior
A clear and concise description of what you actually to happen.
还是需要使用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789;生成access_token能够访问api接口
How to Reproduce
Steps to reproduce the behavior:
shell docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true --env NACOS_AUTH_TOKEN=SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9 -p 8848:8848 nacos/nacos-server:v2.1.0Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: