Skip to content

Commit d1558e2

Browse files
authored
Merge pull request #62 from nemmerich/master
Fix authentication bypass
2 parents b8b1f6e + d0d9f95 commit d1558e2

File tree

2 files changed

+61
-2
lines changed

2 files changed

+61
-2
lines changed

Diff for: lib/resty/jwt.lua

+9-2
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,7 @@ local function parse_jwe(self, preshared_key, encoded_header, encoded_encrypted_
284284
local iv = _M:jwt_decode(encoded_iv)
285285
local signature_or_tag = _M:jwt_decode(encoded_auth_tag)
286286
local basic_jwe = {
287+
typ = str_const.JWE,
287288
internal = {
288289
encoded_header = encoded_header,
289290
cipher_text = cipher_text,
@@ -322,6 +323,7 @@ local function parse_jwt(encoded_header, encoded_payload, signature)
322323
end
323324

324325
local basic_jwt = {
326+
typ = str_const.JWT,
325327
raw_header=encoded_header,
326328
raw_payload=encoded_payload,
327329
header=header,
@@ -549,7 +551,7 @@ function _M.sign(self, secret_key, jwt_obj)
549551
end
550552
end
551553

552-
if typ == str_const.JWE or jwt_obj.header.enc then
554+
if jwt_obj.typ == str_const.JWE or (jwt_obj.typ == nil and (typ == str_const.JWE or jwt_obj.header.enc)) then
553555
return sign_jwe(self, secret_key, jwt_obj)
554556
end
555557
-- header alg check
@@ -824,12 +826,17 @@ function _M.verify_jwt_obj(self, secret, jwt_obj, ...)
824826
end
825827

826828
-- if jwe, invoked verify jwe
827-
if jwt_obj[str_const.header][str_const.enc] then
829+
if jwt_obj.typ == str_const.JWE or (jwt_obj.typ == nil and jwt_obj.internal ~= nil and jwt_obj[str_const.header][str_const.enc]) then
828830
return verify_jwe_obj(jwt_obj)
829831
end
830832

831833
local alg = jwt_obj[str_const.header][str_const.alg]
832834

835+
if alg == nil then
836+
jwt_obj[str_const.reason] = "No algorithm supplied"
837+
return jwt_obj
838+
end
839+
833840
local jwt_str = string_format(str_const.regex_jwt_join_str, jwt_obj.raw_header , jwt_obj.raw_payload , jwt_obj.signature)
834841

835842
if self.alg_whitelist ~= nil then

Diff for: t/load-verify.t

+52
Original file line numberDiff line numberDiff line change
@@ -803,4 +803,56 @@ true
803803
everything is awesome~ :p
804804
test
805805
--- no_error_log
806+
[error]
807+
808+
=== TEST 26: Verify invalid JWT which looks like a JWE
809+
--- http_config eval: $::HttpConfig
810+
--- config
811+
location /t {
812+
content_by_lua '
813+
local jwt = require "resty.jwt"
814+
local jwt_str = "eyJ0eXAiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIn0" ..
815+
".eyJmb28iOiJiYXIifQ" ..
816+
".signature"
817+
818+
local jwt_obj = jwt:load_jwt(jwt_str)
819+
local verified_obj = jwt:verify_jwt_obj(
820+
"lua-resty-jwt", jwt_obj, { }
821+
)
822+
ngx.say(jwt_obj["verified"])
823+
ngx.say(jwt_obj["reason"])
824+
';
825+
}
826+
--- request
827+
GET /t
828+
--- response_body
829+
false
830+
No algorithm supplied
831+
--- no_error_log
832+
[error]
833+
834+
=== TEST 26: Verify invalid JWT which looks like a JWE with alg
835+
--- http_config eval: $::HttpConfig
836+
--- config
837+
location /t {
838+
content_by_lua '
839+
local jwt = require "resty.jwt"
840+
local jwt_str = "eyJ0eXAiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiSFMyNTYifQ" ..
841+
".eyJmb28iOiJiYXIifQ" ..
842+
".signature"
843+
844+
local jwt_obj = jwt:load_jwt(jwt_str)
845+
local verified_obj = jwt:verify_jwt_obj(
846+
"lua-resty-jwt", jwt_obj, { }
847+
)
848+
ngx.say(jwt_obj["verified"])
849+
ngx.say(jwt_obj["reason"])
850+
';
851+
}
852+
--- request
853+
GET /t
854+
--- response_body
855+
false
856+
signature mismatch: signature
857+
--- no_error_log
806858
[error]

0 commit comments

Comments
 (0)