Skip to content

Query params in URL bypasses BLACKLIST setting #3

Open
Open
Query params in URL bypasses BLACKLIST setting#3
@li6in9muyou

Description

@li6in9muyou
li6in9muyou
opened on Jun 3, 2023

To reproduce

  1. set PROXY_BLACKLIST to /blacklist
  2. send a GET request to /blacklist without any authorization header
  3. now send another GET request with query params /blacklist?foo=bar without any authorization header

Expected behavior

Both request get 401.

Actual behavior

The second request does not get 401.

Possible cause

I believe the cause is in this function

jwt-auth-proxy/src/routes.go

Lines 154 to 228 in 6d8bff8

func VerifyJwtMiddleware(next http.Handler) http.Handler {
var isWhitelistMatch = func(url string, whitelistedURL string) bool {
whitelistedURL = strings.TrimSpace(whitelistedURL)
if strings.HasSuffix(whitelistedURL, "/") {
whitelistedURL = whitelistedURL[:len(whitelistedURL)-1]
}
if whitelistedURL != "" && (url == whitelistedURL || strings.HasPrefix(url, whitelistedURL+"/")) {
return true
}
return false
}
var IsWhitelisted = func(r *http.Request) bool {
url := r.URL.RequestURI()
// Check for whitelisted public API paths
for _, whitelistedURL := range unauthorizedRoutes {
if isWhitelistMatch(url, whitelistedURL) {
return true
}
}
// All other public API paths require a valid auth token
if strings.HasPrefix(url, GetConfig().PublicAPIPath) {
return false
}
// Whitelist Mode: Check is URL is whitelisted, else assume auth token is required
if len(GetConfig().ProxyWhitelist) > 0 {
for _, whitelistedURL := range GetConfig().ProxyWhitelist {
if isWhitelistMatch(url, whitelistedURL) {
return true
}
}
return false
}
// Blacklist Mode: Check is URL is blacklisted, else assume auth token is NOT required
for _, blacklistedURL := range GetConfig().ProxyBlacklist {
if isWhitelistMatch(url, blacklistedURL) {
return false
}
}
return true
}
var HandleWhitelistReq = func(w http.ResponseWriter, r *http.Request) {
claims, authHeader, err := ExtractClaimsFromRequest(r)
if err != nil {
next.ServeHTTP(w, r)
return
}
ctx := context.WithValue(r.Context(), contextKeyUserID, claims.UserID)
ctx = context.WithValue(ctx, contextKeyAuthHeader, authHeader)
next.ServeHTTP(w, r.WithContext(ctx))
}
var HandleNonWhitelistReq = func(w http.ResponseWriter, r *http.Request) {
claims, authHeader, err := ExtractClaimsFromRequest(r)
if err != nil {
log.Println(err)
SendUnauthorized(w)
return
}
ctx := context.WithValue(r.Context(), contextKeyUserID, claims.UserID)
ctx = context.WithValue(ctx, contextKeyAuthHeader, authHeader)
next.ServeHTTP(w, r.WithContext(ctx))
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == "OPTIONS" {
HandleWhitelistReq(w, r)
} else if IsWhitelisted(r) {
HandleWhitelistReq(w, r)
} else {
HandleNonWhitelistReq(w, r)
}
})
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions