Skip to content
This repository has been archived by the owner on Jun 26, 2023. It is now read-only.

Commit

Permalink
Fix regexp no hit panic (#332)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jbygdell
jbygdell authored Feb 2, 2023
2 parents 87a7057 + b1c5073 commit 6943471
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 3 deletions.
9 changes: 7 additions & 2 deletions userauth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,14 @@ func (u *ValidateFromToken) Authenticate(r *http.Request) (claims jwt.MapClaims,
log.Debugf("Looking for key for %s", strIss)

re := regexp.MustCompile(`//([^/]*)`)
keyMatch := re.FindStringSubmatch(strIss)
if len(keyMatch) < 2 || keyMatch[1] == "" {
return nil, fmt.Errorf("failed to get issuer from token iss (%v)", strIss)
}

switch token.Header["alg"] {
case "ES256":
key, err := jwt.ParseECPublicKeyFromPEM(u.pubkeys[re.FindStringSubmatch(strIss)[1]])
key, err := jwt.ParseECPublicKeyFromPEM(u.pubkeys[keyMatch[1]])
if err != nil {
return nil, fmt.Errorf("failed to parse EC public key (%v)", err)
}
Expand All @@ -85,7 +90,7 @@ func (u *ValidateFromToken) Authenticate(r *http.Request) (claims jwt.MapClaims,
return nil, fmt.Errorf("signed token (ES256) not valid: %v, (token was %s)", err, tokenStr)
}
case "RS256":
key, err := jwt.ParseRSAPublicKeyFromPEM(u.pubkeys[re.FindStringSubmatch(strIss)[1]])
key, err := jwt.ParseRSAPublicKeyFromPEM(u.pubkeys[keyMatch[1]])
if err != nil {
return nil, fmt.Errorf("failed to parse RSA256 public key (%v)", err)
}
Expand Down
24 changes: 23 additions & 1 deletion userauth_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,17 @@ func TestUserTokenAuthenticator_ValidateSignature_RSA(t *testing.T) {
_, brokenToken2 := a.Authenticate(r)
assert.Equal(t, "broken token (claims are empty): map[]", brokenToken2.Error()[0:38])

// Bad issuer
basIss, err := helper.CreateRSAToken(prKeyParsed, "RS256", "JWT", helper.WrongTokenAlgClaims)
assert.NoError(t, err)

r, _ = http.NewRequest("", "/", nil)
r.Host = "localhost"
r.Header.Set("X-Amz-Security-Token", basIss)
r.URL.Path = "/dummy/"
_, err = a.Authenticate(r)
assert.Contains(t, err.Error(), "failed to get issuer from token")

// Delete the keys when testing is done or failed
defer os.RemoveAll(demoKeysPath)
}
Expand Down Expand Up @@ -229,6 +240,17 @@ func TestUserTokenAuthenticator_ValidateSignature_EC(t *testing.T) {
_, brokenToken2 := a.Authenticate(r)
assert.Equal(t, "broken token (claims are empty): map[]", brokenToken2.Error()[0:38])

// Bad issuer
basIss, err := helper.CreateECToken(prKeyParsed, "ES256", "JWT", helper.WrongTokenAlgClaims)
assert.NoError(t, err)

r, _ = http.NewRequest("", "/", nil)
r.Host = "localhost"
r.Header.Set("X-Amz-Security-Token", basIss)
r.URL.Path = "/dummy/"
_, err = a.Authenticate(r)
assert.Contains(t, err.Error(), "failed to get issuer from token")

defer os.RemoveAll(demoKeysPath)
}

Expand Down Expand Up @@ -287,7 +309,7 @@ func TestUserTokenAuthenticator_ValidateSignature_HS(t *testing.T) {
assert.NoError(t, err)

// Create HS256 token
wrongAlgToken, err := helper.CreateHSToken(key, "HS256", "JWT", helper.WrongTokenAlgClaims)
wrongAlgToken, err := helper.CreateHSToken(key, "HS256", "JWT", helper.DefaultTokenClaims)
assert.NoError(t, err)

testPub := make(map[string][]byte)
Expand Down

0 comments on commit 6943471

Please sign in to comment.