Password bypass vulnerability

[a1ien]

We can authorize by any user. For that we can use jwt token with empty shared_secret.
It's happen because

influxdb/services/httpd/handler.go

Lines 1585 to 1602 in e2af85d

	case BearerAuthentication:
	keyLookupFn := func(token *jwt.Token) (interface{}, error) {
	// Check for expected signing method.
	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
	return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
	}
	return []byte(h.Config.SharedSecret), nil
	}
	// Parse and validate the token.
	token, err := jwt.Parse(creds.Token, keyLookupFn)
	if err != nil {
	h.httpError(w, err.Error(), http.StatusUnauthorized)
	return
	} else if !token.Valid {
	h.httpError(w, "invalid token", http.StatusUnauthorized)
	return
	}

here we not check that h.Config.SharedSecret is not empty string.
In Authentication and authorization in InfluxDB document we not mention anything about shared-secret variable.

Also sems like we also not check exp state of token. And once generated token valid forewer.

[e-dard]

Thanks for the report @a1ien. We are investigating this issue as a priority.

[dgnorton]

@a1ien again, thanks for reporting the issue. A PR to fix the shared secret issue has been made.

Also sems like we also not check exp state of token. And once generated token valid forever.

If the expiration claim is set on the token and it has expired, the parser will return an error here:

influxdb/services/httpd/handler.go

Lines 1606 to 1608 in 932521b

	// Parse and validate the token.
	token, err := jwt.Parse(creds.Token, keyLookupFn)
	if err != nil {

It ensures an expiration was set here:

influxdb/services/httpd/handler.go

Lines 1623 to 1627 in 932521b

	// Make sure an expiration was set on the token.
	if exp, ok := claims["exp"].(float64); !ok || exp <= 0.0 {
	h.httpError(w, "token expiration required", http.StatusUnauthorized)
	return
	}

And is tested here:

influxdb/services/httpd/handler_test.go

Lines 209 to 219 in 932521b

	// Test handler with expired JWT token.
	_, signedToken = MustJWTToken("user1", h.Config.SharedSecret, true)
	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken))
	w = httptest.NewRecorder()
	h.ServeHTTP(w, req)
	if w.Code != http.StatusUnauthorized {
	t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String())
	} else if !strings.Contains(w.Body.String(), `{"error":"Token is expired`) {
	t.Fatalf("unexpected body: %s", w.Body.String())
	}

[a1ien]

i am not see any check that exp > time.now()

[dgnorton]

@a1ien the check isn't done by InfluxDB. It's done by the jwt library InfluxDB uses to parse tokens. The jwt.Parse function mentioned above will return an error if it sees that the token has expired.

[a1ien]

@dgnorton Ah you are correct.

[e-dard]

Fixed via #13088, #13132, #13133.