handle slice out of range (#13568)

* handle slice out of range * adding some tests
prysmaticlabs · Feb 1, 2024 · 2dad245 · 2dad245
1 parent 9a99906
commit 2dad245
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/validator/rpc/intercepter.go b/validator/rpc/intercepter.go
@@ -46,7 +46,13 @@ func (s *Server) JwtHttpInterceptor(next http.Handler) http.Handler {
 				http.Error(w, "unauthorized: no Authorization header passed. Please use an Authorization header with the jwt created in the prysm wallet", http.StatusUnauthorized)
 				return
 			}
-			token := strings.Split(reqToken, "Bearer ")[1]
+			tokenParts := strings.Split(reqToken, "Bearer ")
+			if len(tokenParts) != 2 {
+				http.Error(w, "Invalid token format", http.StatusBadRequest)
+				return
+			}
+
+			token := tokenParts[1]
 			_, err := jwt.Parse(token, s.validateJWT)
 			if err != nil {
 				http.Error(w, fmt.Errorf("forbidden: could not parse JWT token: %v", err).Error(), http.StatusForbidden)

diff --git a/validator/rpc/intercepter_test.go b/validator/rpc/intercepter_test.go
@@ -107,6 +107,43 @@ func TestServer_JwtHttpInterceptor(t *testing.T) {
 		testHandler.ServeHTTP(rr, req)
 		require.Equal(t, http.StatusOK, rr.Code)
 	})
+	t.Run("wrong jwt format was sent", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
+		require.NoError(t, err)
+		token, err := createTokenString(jwtKey)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", "Bearer"+token) // no space was added // Replace with a valid JWT token
+		testHandler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+	})
+	t.Run("wrong jwt no bearer format was sent", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
+		require.NoError(t, err)
+		token, err := createTokenString(jwtKey)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", token) // Replace with a valid JWT token
+		testHandler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+	})
+	t.Run("broken jwt token format was sent", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
+		require.NoError(t, err)
+		token, err := createTokenString(jwtKey)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", "Bearer "+token[0:2]+" "+token[2:]) // Replace with a valid JWT token
+		testHandler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusForbidden, rr.Code)
+	})
+	t.Run("web endpoint needs jwt token", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest(http.MethodGet, "/api/v2/validator/beacon/status", nil)
+		require.NoError(t, err)
+		testHandler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusUnauthorized, rr.Code)
+	})
 	t.Run("initialize does not need jwt", func(t *testing.T) {
 		rr := httptest.NewRecorder()
 		req, err := http.NewRequest(http.MethodGet, api.WebUrlPrefix+"initialize", nil)