fix: client panic on missing digest value

After splitting key=value pairs, we check that there are really key AND value. A maliciously crafted response header can cause the client to panic.
go-resty · Mar 20, 2023 · c3ae2b7 · c3ae2b7
1 parent 38b1644
commit c3ae2b7
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/client_test.go b/client_test.go
@@ -133,6 +133,7 @@ func TestClientDigestErrors(t *testing.T) {
 		{mutateConf: func(c *digestServerConfig) { c.charset = "utf-16" }, expect: ErrDigestCharset},
 		{mutateConf: func(c *digestServerConfig) { c.uri = "/bad" }, expect: ErrDigestBadChallenge},
 		{mutateConf: func(c *digestServerConfig) { c.uri = "/unknown_param" }, expect: ErrDigestBadChallenge},
+		{mutateConf: func(c *digestServerConfig) { c.uri = "/missing_value" }, expect: ErrDigestBadChallenge},
 		{mutateConf: func(c *digestServerConfig) { c.uri = "/no_challenge" }, expect: ErrDigestBadChallenge},
 		{mutateConf: func(c *digestServerConfig) { c.uri = "/status_500" }, expect: nil},
 	}

diff --git a/digest.go b/digest.go
@@ -121,6 +121,9 @@ func parseChallenge(input string) (*challenge, error) {
 	var r []string
 	for i := range sl {
 		r = strings.SplitN(sl[i], "=", 2)
+		if len(r) != 2 {
+			return nil, ErrDigestBadChallenge
+		}
 		switch r[0] {
 		case "realm":
 			c.realm = strings.Trim(r[1], qs)

diff --git a/resty_test.go b/resty_test.go
@@ -645,22 +645,27 @@ func createDigestServer(t *testing.T, conf *digestServerConfig) *httptest.Server
 	if conf == nil {
 		conf = defaultDigestServerConf()
 	}
+
+	setWWWAuthHeader := func(w http.ResponseWriter, v string) {
+		w.Header().Set("WWW-Authenticate", v)
+		w.WriteHeader(http.StatusUnauthorized)
+	}
 	ts := createTestServer(func(w http.ResponseWriter, r *http.Request) {
 		t.Logf("Method: %v", r.Method)
 		t.Logf("Path: %v", r.URL.Path)
 
 		switch r.URL.Path {
 		case "/bad":
-			w.Header().Set("WWW-Authenticate", "Bad Challenge")
-			w.WriteHeader(http.StatusUnauthorized)
+			setWWWAuthHeader(w, "Bad Challenge")
 			return
 		case "/unknown_param":
-			w.Header().Set("WWW-Authenticate", "Digest unknown_param=true")
-			w.WriteHeader(http.StatusUnauthorized)
+			setWWWAuthHeader(w, "Digest unknown_param=true")
+			return
+		case "/missing_value":
+			setWWWAuthHeader(w, `Digest realm="hello", domain`)
 			return
 		case "/no_challenge":
-			w.Header().Set("WWW-Authenticate", "")
-			w.WriteHeader(http.StatusUnauthorized)
+			setWWWAuthHeader(w, "")
 			return
 		case "/status_500":
 			w.WriteHeader(http.StatusInternalServerError)
@@ -670,10 +675,9 @@ func createDigestServer(t *testing.T, conf *digestServerConfig) *httptest.Server
 		w.Header().Set(hdrContentTypeKey, "application/json; charset=utf-8")
 
 		if !authorizationHeaderValid(t, r, conf) {
-			w.Header().Set("WWW-Authenticate",
+			setWWWAuthHeader(w,
 				fmt.Sprintf(`Digest realm="%s", domain="%s", qop="%s", algorithm=%s, nonce="%s", opaque="%s", userhash=true, charset=%s, stale=FALSE`,
 					conf.realm, conf.uri, conf.qop, conf.algo, conf.nonce, conf.opaque, conf.charset))
-			w.WriteHeader(http.StatusUnauthorized)
 			_, _ = w.Write([]byte(`{ "id": "unauthorized", "message": "Invalid credentials" }`))
 		} else {
 			w.WriteHeader(http.StatusOK)