Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠ OTA tokens must be purpose scoped #264

Closed
zekroTJA opened this issue Aug 1, 2021 · 0 comments · Fixed by #267
Closed

⚠ OTA tokens must be purpose scoped #264

zekroTJA opened this issue Aug 1, 2021 · 0 comments · Fixed by #267
Assignees
@zekroTJA
Labels
bug Something isn't working vulnerability

Comments

@zekroTJA
Copy link
Owner

zekroTJA commented Aug 1, 2021

Description

An obtained OTA token is not scope checked for it intended purpose and can be used to authenticate every subsequent API request.

This issue has only a low severance, because OTA tokens do not contain user state information, so endpoints which require user state will fail anyway (as shown below). Though, OTA tokens should be purpose-scoped so that they can not be possibly exploited for other purposes.

Steps to Reproduce

  1. Obtain an OTA token, for example by using the following API endpoint. 
    POST /api/v1/guilds/{id}/backups/{backupid}/download
  2. Use the token via the ota_token query parameter for any other auth required API endpoint.

The following script demonstrates the behavior described above.

TOKEN="<valid shinpuru API token>"
GUILD="<guild ID>"

BACKUP_ID=$(curl -s -H "Authorization: bearer $TOKEN" https://shnp.de/api/v1/guilds/$GUILD/backups | jq -r .data[0].file_id)
OTA_TOKEN=$(curl -s -H "Authorization: bearer $TOKEN" -X POST https://shnp.de/api/v1/guilds/$GUILD/backups/$BACKUP_ID/download | jq -r .token)

curl -s https://shnp.de/api/v1/me?ota_token=$OTA_TOKEN | jq
@zekroTJA zekroTJA added bug Something isn't working vulnerability labels Aug 1, 2021
@zekroTJA zekroTJA self-assigned this Aug 1, 2021
@zekroTJA zekroTJA changed the title ⚠ OTA tokens must be scoped ⚠ OTA tokens must be purpose scoped Aug 1, 2021
zekroTJA added a commit that referenced this issue Aug 1, 2021
@zekroTJA
add scope validation [#264]
b78903e
zekroTJA added a commit that referenced this issue Aug 1, 2021
@zekroTJA
add scope validation to ota tokens [#264]
1afc14c
@zekroTJA zekroTJA mentioned this issue Aug 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zekroTJA zekroTJA

Labels
bug Something isn't working vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release 1.21.0 zekroTJA/shinpuru
1 participant
@zekroTJA