Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwt can not be detected when length doesn't match the regular expression range #1207

Closed
xiaotaozi1127 opened this issue Jun 23, 2023 · 1 comment · Fixed by #1214
Closed

jwt can not be detected when length doesn't match the regular expression range #1207

xiaotaozi1127 opened this issue Jun 23, 2023 · 1 comment · Fixed by #1214
Labels
bug Something isn't working

Comments

@xiaotaozi1127
Copy link

xiaotaozi1127 commented Jun 23, 2023
edited

Describe the bug
json web token cannot be detected successfully If the length of the three parts does not match the range specified in the regular expression.

To Reproduce
Given jwt value like this:
eyJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6IlRlc3QiLCJsb2dnZWQtaW4tdXNlciI6eyJzY29wZWRQZXJtaXNzaW9uIjpbXSwicGVybWlzc2lvbnMiOlsiQS5hZG1pbl9jdXN0b21lcl9kZWxldGUiLCJBLm5vcm1hbF91c2VyX2FwcCIsIkEubm9ybWFsX3VzZXJfY29uZmlndXJhdGlvbiIsIkEubm9ybWFsX3VzZXJfd2VsY29tZV9jb250cm9scyIsIkEubm9ybWFsX3VzZXJfb3JkZXIiLCJBLm5vcm1hbF91c2VyX3NlYXJjaCIsIkEubm9ybWFsX3VzZXJfc2VhcmNoX3BjIiwiQS5ub3JtYWxfdXNlcl9zZWFyY2hfcHJpdmF0ZSIsIkEubm9ybWFsX3VzZXJfcHJpY2luZyIsIkEubm9ybWFsX3VzZXJfcHJpdmF0ZSIsIkEubm9ybWFsX3VzZXJfY29tbWVyY2lhbCIsIkEubm9ybWFsX3VzZXJfcGMiXSwibmFtZSI6WyJUZXN0Il0sIm1haWwiOlsiVGVzdEBleGFtcGxlLmNvbSJdLCJvcmdhbml6YXRpb24iOlsiWC1YeHh4eHguMTIzNCJdLCJsb2NhdGlvbiI6WyIxMjMyMSJdLCJ1bml0IjpbIjEwMyJdLCJjb3VudHJ5IjpbIkNOIl0sInVzZXJUeXBlIjoiZW1wbG95ZWUifSwiaWRlbnRpdHktaWQiOiJNb2NrIn0.EK5TbwsIgde3mT3n7NK2W7TCvpgQQLzshvPPANRQeUmKOv2AWbo_7vNEDTSkwUlaHRN3-dknv8F95p5MsGTzH6Uva8aOPJG6JdBIoYX_ud3aBN-hY1i2Xpf8pqjeINfY3_gDNAB9gdMznEej2uqhPwUXmZtcuWPdUCCeNqPJbRUAJeVXxLr_JtQzO2jmuwNY_YYp7KaEIANZwG1spvLuIGZ0HA03u8ye9c2lfqYcjgfIkjMrwgWPamR7joZOZPdQSO2EHrF7bUWMjRNY-FF5V7tOjEijkknE_nDq5THcEvx1seHYFdFNwy9LSSGGPVmZMKTKQ3UUlZZyBMXcOpOA9w

I can commit the code successfully and gitleaks cannot detect such leaks.

Expected behavior
expect this jwt can be detected and commit should be blocked

Basic Info (please complete the following information):

  • OS: MAC OS
  • Gitleaks Version: v8.17.0

Additional context
Add any other context about the problem here.

cc @zricethezav
@xiaotaozi1127 xiaotaozi1127 added the bug Something isn't working label Jun 23, 2023
@xiaotaozi1127 xiaotaozi1127 changed the title json web token can not be detected when length doesn't match the regular expression range jwt can not be detected when length doesn't match the regular expression range Jun 23, 2023
@rgmz
Copy link
Contributor

rgmz commented Jun 29, 2023
edited

Good catch, I've discovered a few valid JWTs that have not been caught by the current rule.

I think we ought to bump up the lengths for all sections:

  1. The example header in RFC 7519: Example JWT is 40 characters long and would not be caught by ey[0-9a-z]{30,34}\. Technically the shortest valid header would be 19 characters (eyJhbGciOiJub25lIn0) I've found JWTs with headers as long as 90 characters.
  2. I've found JWTs with large payloads, 500 characters may not suffice.
  3. I've found JWTs with signatures almost 400 characters long

Additionally, the current rule is case-insensitive which increases the amount of false-positives, specifically around "ey" which should be a known discriminator — or at least increases the execution time of the regexes.

@rgmz rgmz mentioned this issue Jun 29, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Catch longer JWT segment lengths rgmz/gitleaks
2 participants
@xiaotaozi1127 @rgmz