From 3107636d3014c152a1b9c06171059fd2a8735dc3 Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Fri, 18 Oct 2024 17:00:03 +1000
Subject: [PATCH] [http_authorization] Check for nil value when decode based64
 value

Performing a match on a nil value results in an exception being thrown
and bypassing the entire authorization validation process.
---
 gateway/src/resty/http_authorization.lua | 5 ++++-
 spec/resty/http_authorization_spec.lua   | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/gateway/src/resty/http_authorization.lua b/gateway/src/resty/http_authorization.lua
index 89a990e47..4a618404f 100644
--- a/gateway/src/resty/http_authorization.lua
+++ b/gateway/src/resty/http_authorization.lua
@@ -9,8 +9,11 @@ local _M = {
 local mt = { __index = _M }
 
 function _M.parsers.Basic(param)
+  local userid, password
   local user_pass = ngx.decode_base64(param)
-  local userid, password = match(user_pass, '^(.*):(.*)$')
+  if user_pass then
+    userid, password = match(user_pass, '^(.*):(.*)$')
+  end
 
   return {
     userid = userid,
diff --git a/spec/resty/http_authorization_spec.lua b/spec/resty/http_authorization_spec.lua
index 0f50b7636..4e94a0073 100644
--- a/spec/resty/http_authorization_spec.lua
+++ b/spec/resty/http_authorization_spec.lua
@@ -60,6 +60,13 @@ describe('HTTP Authorization', function()
         assert.equal('', auth.userid)
         assert.equal('pass', auth.password)
       end)
+
+      it('do not panic with invalid header', function()
+        local auth = authorization.new('Basic !123!')
+
+        assert.equal(nil, auth.userid)
+        assert.equal(nil, auth.password)
+      end)
     end)
 
     describe('Bearer', function()