SECURITY VULNERABILITY - request without token, or empty token is granted access #142
Comments
I also wonder why the constructor def initialize payload: {}, token: nil, verify_options: {}
if token.present?
@payload, _ = JWT.decode token, decode_key, true, options.merge(verify_options)
@token = token
else
@payload = claims.merge(payload)
@token = JWT.encode @payload,
secret_key,
Knock.token_signature_algorithm
end
end is there a reason why it isn't a two separate constructors (or two separate classes sharing some behaviour through modules)? [as I mention, I new here, so I might not see the reason behind] |
This checks out. I was wondering as well. |
@AldrichMascarenhas , can you show us some examples of requests with no token using for example Postman? |
@johnunclesam books_controller has a
I added the fix that @cs3b mentioned in his post to my application_controller and it successfully works. |
I encountered the same vulnerability when testing my application that uses knock. How does the test coverage for this gem look like? UpdateIt appears as if my problem concerned namespaced models... |
From what I see there is no test case for context: authorization header not provided: Can anyone confirm? |
@cs3b thank you for reporting this. @AldrichMascarenhas thank you for providing example code. Knock responsibility is to assert the existence of a correctly signed token. I agree that in the case where a token isn't provided, the execution should be stopped as soon as possible by Knock and it should not try to instantiate a user. This need to be fixed (I'm happy to do it myself or review someone else's PR). What this issue is not: What this issue is: In the case of the example code provided, this would mean actually checking that the sub key is present (using --
No good reason. It's one of the things I've been willing to refactor but haven't taken the time yet.
Isn't the test at line 20 what you're looking for? Sorry if the test description isn't explicit. Although I don't believe knock lacks test coverage, they could definitely be improved in term of readability. |
#143 should address the issue. @cs3b (and others) Could you please review it and let me know if I'm missing something? Ultimately, I believe a deeper refactoring of the Thank you everyone for the precious feedback. |
@nsarno yes it looks good - thank you 👍 |
I've added
knock
toJSONAPI::ResourceControllerMetal
and I was surprised that all my controller specs were still working (without any token). Whenever I've pass the wrong token the action was stopped.Digging dipper give me hint that
Knock::AuthToken.new(token: nil)
will generate new token and Authentication is executed at all.This is my first project where I'm using Knock - still it looks for me as serious vulnerability. I know that in User finder method I can raise an exception, still
authenticate_user
should never pass through request without valid token (in this case without token).So far I've solved the problem by adding another
before_action
to myApplicationController
The most reasonable is to add this in token_from_request_headers
I'm willing to prepare pull request, still would like to have any feedback from the previous contributors.
The text was updated successfully, but these errors were encountered: