New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
case sensitive in jwtauthn match prefix #1633
Comments
|
According to RFC3986, only the host, sheme, and hexadecimal digits should be case-insensitive. The other generic syntax components are assumed to be case-sensitive. So, by default, the prefix "/index" should not match with "/indeX" |
|
Yes, that's true for RFC3986, but the conventions generally use all lowercase paths. As MOSN is a general network proxy, I think its function of authenticating the matching path needs to support the differences of most applications to the greatest extent. Personally, I suggest that case-insensitive matching be enabled by default, and users can configure it by themselves. If the default is case-sensitive, it is best to remind users of possible risks. |
|
Is there any documentation about your mentioned conventions? I referred to the Envoy JWT Authentication module, but found that its match is also case-sensitive by default. Or am I wrong with some places? |
|
There may not be an explicit rule on this, I see in dapr dapr/dapr#2768 https://github.com/dapr/dapr/blob/e3846f5f4126cc1e9fa782c638e10b23dbdf6fba/pkg/config/configuration.go#L558 They appear to be case insensitive after a security audit. But now I think it's better to be consistent with the RFC and Envoy as you do. |
Describe the bug
When using JWT authorization, it is case-sensitive to the prefix that the URL matches, which can lead to authentication bypassing in some scenarios.
It is recommended to apply URL normalization and employ case-insensitive comparison in order to eliminate the risk of potential access control list bypasses.
Expected behavior
Be intercepted by jwtauthn
Actual behavior
Bypass the intercept
Steps to reproduce
config.js
NodeJS with Express
Minimal yet complete reproducer code (or GitHub URL to code)
Environment
The text was updated successfully, but these errors were encountered: