-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bugfix issue 27877 jwt token with space is valid #28678
Bugfix issue 27877 jwt token with space is valid #28678
Conversation
912903a
to
70731bd
Compare
/wait |
return value_str.substr(starting); | ||
} | ||
return value_str.substr(starting, ending - starting); | ||
return value_str.substr(starting); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is a runtime guard warranted for this change? https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md#runtime-guarding
Generally as a community we try to guard [...] most user-visible non-config-guarded changes to protocol processing (for example additions or changes to HTTP headers or how HTTP is serialized out) for non-alpha features. Feel free to tag @envoyproxy/maintainers if you aren't sure if a given change merits runtime guarding.
I'm slightly worried it will break runtime traffic for clients using it (https://www.hyrumslaw.com/). Though this is a very unique corner case and I doubt clients rely on this behavior. Either way, worth asking @envoyproxy/maintainers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RFC 7519 implies that adding non-Base64URL characters after a valid JWT token makes it invalid. Thus, if a the JWT is followed by a space and some Base64URL characters or just followed by non Base64URL characters like ### (without any space) it should be considered invalid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@danieldradware we agree with you that the current behavior is a bug. However there could be Envoy users who relied on this buggy behavior and if we just change it it will affect their system. To prevent this we add runtime override that would bring back old behavior. In 6 months this override is removed.
It is not very hard to add a runtime override. Please see PR #27974 for example.
a86086f
to
0c37cbf
Compare
feb3a6f
to
0ed9834
Compare
Hi @yanavlasov |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/wait
return value_str.substr(starting); | ||
} | ||
return value_str.substr(starting, ending - starting); | ||
return value_str.substr(starting); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@danieldradware we agree with you that the current behavior is a bug. However there could be Envoy users who relied on this buggy behavior and if we just change it it will affect their system. To prevent this we add runtime override that would bring back old behavior. In 6 months this override is removed.
It is not very hard to add a runtime override. Please see PR #27974 for example.
5e0be3c
to
3ac8ab9
Compare
@danieldradware the runtime features require alphanumeric order
|
Can you also add a test that check the behavior with the /wait |
ced687c
to
ba5972b
Compare
…non base64 characters Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
…(dis) Signed-off-by: danield <danield@radware.com>
@yanavlasov i think this is waiting on further review /wait-any |
Signed-off-by: danield <danield@radware.com>
…ass-invalid-authorization-bearer
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Signed-off-by: danield <danield@radware.com>
Hi @yanavlasov @phlax |
Thanks for rerun it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/wait
RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); | ||
RUNTIME_GUARD(envoy_reloadable_features_uhv_preserve_url_encoded_case); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These runtime keys looks like result of a bad merge. Please remove them, since they are not part of this change.
I was also looking for a test with the following in it:
that tests old behavior. Can you add a test like this please? |
Hi @yanavlasov |
removed RUNTIME_GUARD(envoy_reloadable_features_uhv_preserve_url_encoded_case); Signed-off-by: danieldradware <117576776+danieldradware@users.noreply.github.com>
Can you please rerun Linux arm64 section? |
/retest |
Hi @yanavlasov BTW who can give to this PR an approval? Thanks a lot |
…non base64 characters
Commit Message:
This PR should fix issue #27877
Additional Description:
New behavior isn't cutting characters after non base64 character
Now expected to get all token and then mark it as invalid jwt
All details in issue #27877
Risk Level:
Medium
Testing:
Added unit test
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
Fixes #27877
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]