Skip to content

Commit

Permalink
AuthJWT: Fix JWT query param leak (CVE-2023-1387) (#825)
Browse files Browse the repository at this point in the history
fix JWT query param leak

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
  • Loading branch information
3 people authored and ricky-undeadcoders committed Apr 24, 2023
1 parent 57dbd0b commit df81ebb
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 4 deletions.
15 changes: 15 additions & 0 deletions pkg/services/authn/clients/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (
"github.com/grafana/grafana/pkg/util/errutil"
)

const authQueryParamName = "auth_token"

var _ authn.ContextAwareClient = new(JWT)

var (
Expand Down Expand Up @@ -50,6 +52,7 @@ func (s *JWT) Name() string {

func (s *JWT) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
jwtToken := s.retrieveToken(r.HTTPRequest)
s.stripSensitiveParam(r.HTTPRequest)

claims, err := s.jwtService.Verify(ctx, jwtToken)
if err != nil {
Expand Down Expand Up @@ -120,6 +123,18 @@ func (s *JWT) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identi
return id, nil
}

// remove sensitive query param
// avoid JWT URL login passing auth_token in URL
func (s *JWT) stripSensitiveParam(httpRequest *http.Request) {
if s.cfg.JWTAuthURLLogin {
params := httpRequest.URL.Query()
if params.Has(authQueryParamName) {
params.Del(authQueryParamName)
httpRequest.URL.RawQuery = params.Encode()
}
}
}

// retrieveToken retrieves the JWT token from the request.
func (s *JWT) retrieveToken(httpRequest *http.Request) string {
jwtToken := httpRequest.Header.Get(s.cfg.JWTAuthHeaderName)
Expand Down
44 changes: 44 additions & 0 deletions pkg/services/authn/clients/jwt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -307,3 +307,47 @@ func TestJWTTest(t *testing.T) {
})
}
}

func TestJWTStripParam(t *testing.T) {
jwtService := &jwt.FakeJWTService{
VerifyProvider: func(context.Context, string) (jwt.JWTClaims, error) {
return jwt.JWTClaims{
"sub": "1234567890",
"email": "eai.doe@cor.po",
"preferred_username": "eai-doe",
"name": "Eai Doe",
"roles": "Admin",
}, nil
},
}

jwtHeaderName := "X-Forwarded-User"

cfg := &setting.Cfg{
JWTAuthEnabled: true,
JWTAuthHeaderName: jwtHeaderName,
JWTAuthAutoSignUp: true,
JWTAuthAllowAssignGrafanaAdmin: true,
JWTAuthURLLogin: true,
JWTAuthRoleAttributeStrict: false,
JWTAuthRoleAttributePath: "roles",
JWTAuthEmailClaim: "email",
JWTAuthUsernameClaim: "preferred_username",
}

// #nosec G101 -- This is a dummy/test token
token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o"

httpReq := &http.Request{
URL: &url.URL{RawQuery: "auth_token=" + token + "&other_param=other_value"},
}
jwtClient := ProvideJWT(jwtService, cfg)
_, err := jwtClient.Authenticate(context.Background(), &authn.Request{
OrgID: 1,
HTTPRequest: httpReq,
Resp: nil,
})
require.NoError(t, err)
// auth_token should be removed from the query string
assert.Equal(t, "other_param=other_value", httpReq.URL.RawQuery)
}
24 changes: 20 additions & 4 deletions pkg/services/contexthandler/auth_jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,14 @@ import (
loginsvc "github.com/grafana/grafana/pkg/services/login"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
)

const (
InvalidJWT = "Invalid JWT"
InvalidRole = "Invalid Role"
UserNotFound = "User not found"
InvalidJWT = "Invalid JWT"
InvalidRole = "Invalid Role"
UserNotFound = "User not found"
authQueryParamName = "auth_token"
)

func (h *ContextHandler) initContextWithJWT(ctx *contextmodel.ReqContext, orgId int64) bool {
Expand All @@ -30,13 +32,15 @@ func (h *ContextHandler) initContextWithJWT(ctx *contextmodel.ReqContext, orgId

jwtToken := ctx.Req.Header.Get(h.Cfg.JWTAuthHeaderName)
if jwtToken == "" && h.Cfg.JWTAuthURLLogin {
jwtToken = ctx.Req.URL.Query().Get("auth_token")
jwtToken = ctx.Req.URL.Query().Get(authQueryParamName)
}

if jwtToken == "" {
return false
}

stripSensitiveParam(h.Cfg, ctx.Req)

// Strip the 'Bearer' prefix if it exists.
jwtToken = strings.TrimPrefix(jwtToken, "Bearer ")

Expand Down Expand Up @@ -204,3 +208,15 @@ func searchClaimsForStringAttr(attributePath string, claims map[string]interface

return "", nil
}

// remove sensitive query params
// avoid JWT URL login passing auth_token in URL
func stripSensitiveParam(cfg *setting.Cfg, httpRequest *http.Request) {
if cfg.JWTAuthURLLogin {
params := httpRequest.URL.Query()
if params.Has(authQueryParamName) {
params.Del(authQueryParamName)
httpRequest.URL.RawQuery = params.Encode()
}
}
}

0 comments on commit df81ebb

Please sign in to comment.