Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow parsing of token with none signature in authenticateToken #9172

Merged
merged 2 commits into from
Feb 9, 2021
Merged

Disallow parsing of token with none signature in authenticateToken #9172

merged 2 commits into from
Feb 9, 2021

Conversation

nodece
Copy link
Member

@nodece nodece commented Jan 11, 2021
edited
Loading

Signed-off-by: Zixuan Liu nodeces@gmail.com

Motivation

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

Modifications

  • using parseClaimsJws instead of parse

parseClaimsJws can guarantees the correct security model for parsing signed JWTs.

Verifying this change

  • Make sure that the change passes the CI checks.

@sijie
Copy link
Member

sijie commented Jan 11, 2021

/pulsarbot run-failure-checks

@sijie sijie added this to the 2.8.0 milestone Jan 11, 2021
@sijie sijie added area/security release/2.7.1 type/bug The PR fixed a bug or issue reported a bug labels Jan 11, 2021
@315157973
Copy link
Contributor

/pulsarbot run-failure-checks

315157973
315157973 reviewed Jan 12, 2021
View reviewed changes
Copy link
Contributor

@315157973 315157973 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that many auth-related unit tests have failed

@sijie
Copy link
Member

sijie commented Jan 12, 2021

@315157973 Great catch!

@nodece Can you add a flag to turn this validation on/off?

@nodece nodece force-pushed the disable_none_alg branch 2 times, most recently from 5942092 to a5b7ebd Compare January 12, 2021 07:59
@hangc0276
Copy link
Contributor

/pulsarbot run-failure-checks

1 similar comment
@hangc0276
Copy link
Contributor

/pulsarbot run-failure-checks

@nodece
Copy link
Member Author

nodece commented Jan 14, 2021

@hangc0276 CI - Integration - Sql / sql still failed.

@nodece
Copy link
Member Author

nodece commented Jan 19, 2021

@sijie CI - Integration - Sql / sql (pull_request) always failed. could you reset that?

@tuteng
Copy link
Member

tuteng commented Jan 19, 2021

/pulsarbot run-failure-checks

3 similar comments
@tuteng
Copy link
Member

tuteng commented Jan 20, 2021

/pulsarbot run-failure-checks

@nodece
Copy link
Member Author

nodece commented Jan 20, 2021

/pulsarbot run-failure-checks

@tuteng
Copy link
Member

tuteng commented Jan 20, 2021

/pulsarbot run-failure-checks

@codelipenghui
Copy link
Contributor

@nodece Please rebase the master branch

@nodece
Copy link
Member Author

nodece commented Jan 24, 2021

/pulsarbot run-failure-checks

@nodece
Copy link
Member Author

nodece commented Jan 25, 2021

/pulsarbot run-failure-checks

@nodece
Disallow parsing of token with none signature in authenticateToken
94247da 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece
Copy link
Member Author

nodece commented Feb 3, 2021

/pulsarbot run-failure-checks

1 similar comment
@tuteng
Copy link
Member

tuteng commented Feb 4, 2021

/pulsarbot run-failure-checks

@nodece
Copy link
Member Author

nodece commented Feb 8, 2021

All tests has been passed.

@sijie sijie merged commit 71bc841 into apache:master Feb 9, 2021
@sijie
Copy link
Member

sijie commented Feb 9, 2021

@nodece Awesome contribution!

@codelipenghui codelipenghui added the cherry-picked/branch-2.7 Archived: 2.7 is end of life label Feb 18, 2021
codelipenghui pushed a commit that referenced this pull request Feb 18, 2021
@nodece @codelipenghui
Disallow parsing of token with none signature in authenticateToken (#…
bdd062b 
…9172)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

### Motivation

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

### Modifications

- using `parseClaimsJws` instead of `parse`

`parseClaimsJws` can guarantees the correct security model for parsing signed JWTs.


(cherry picked from commit 71bc841)
@intrigus-lgtm intrigus-lgtm mentioned this pull request Apr 6, 2021
Closed
1 task
@Marcono1234 Marcono1234 mentioned this pull request Apr 11, 2021
Closed
cdbartholomew pushed a commit to kafkaesque-io/pulsar that referenced this pull request May 25, 2021
@nodece @cdbartholomew
Disallow parsing of token with none signature in authenticateToken (a…
ca27778 
…pache#9172)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

### Motivation

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

### Modifications

- using `parseClaimsJws` instead of `parse`

`parseClaimsJws` can guarantees the correct security model for parsing signed JWTs.
eolivelli pushed a commit that referenced this pull request May 26, 2021
@nodece @eolivelli
Disallow parsing of token with none signature in authenticateToken (#…
67e7e0c 
…9172)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

### Motivation

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

### Modifications

- using `parseClaimsJws` instead of `parse`

`parseClaimsJws` can guarantees the correct security model for parsing signed JWTs.

(cherry picked from commit 71bc841)
eolivelli pushed a commit to datastax/pulsar that referenced this pull request May 26, 2021
@nodece @eolivelli
Disallow parsing of token with none signature in authenticateToken (a…
61da3c1 
…pache#9172)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

### Motivation

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

### Modifications

- using `parseClaimsJws` instead of `parse`

`parseClaimsJws` can guarantees the correct security model for parsing signed JWTs.

(cherry picked from commit 71bc841)
lhotari pushed a commit to lhotari/pulsar that referenced this pull request May 26, 2021
@nodece @lhotari
Disallow parsing of token with none signature in authenticateToken (a…
4774a64 
…pache#9172)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

### Motivation

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

### Modifications

- using `parseClaimsJws` instead of `parse`

`parseClaimsJws` can guarantees the correct security model for parsing signed JWTs.


(cherry picked from commit 71bc841)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@315157973 315157973 315157973 left review comments

@sijie sijie sijie approved these changes

@tuteng tuteng tuteng approved these changes

@hangc0276 hangc0276 hangc0276 approved these changes

@codelipenghui codelipenghui codelipenghui approved these changes

@jiazhai jiazhai Awaiting requested review from jiazhai

Assignees

@nodece nodece

Labels
area/security cherry-picked/branch-2.7 Archived: 2.7 is end of life release/2.6.4 release/2.7.1 type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@nodece @sijie @315157973 @hangc0276 @tuteng @codelipenghui @lhotari @eolivelli