Skip to content

Commit

Permalink
[http_authorization] Check for nil value when decode based64 value
Browse files Browse the repository at this point in the history
Performing a match on a nil value results in an exception being thrown
and bypassing the entire authorization validation process.
  • Loading branch information
tkan145 committed Nov 6, 2024
1 parent 58d15ec commit e2303b7
Show file tree
Hide file tree
Showing 4 changed files with 536 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
- Fix APIcast using stale configuration for deleted products [PR #1488](https://github.com/3scale/APIcast/pull/1488) [THREESCALE-10130](https://issues.redhat.com/browse/THREESCALE-10130)
- Fixed Mutual TLS between APIcast and the Backend API fails when using a Forward Proxy [PR #1499](https://github.com/3scale/APIcast/pull/1499) [THREESCALE-5105](https://issues.redhat.com/browse/THREESCALE-5105)
- Fixed dns cache miss [PR #1500](https://github.com/3scale/APIcast/pull/1500) [THEESCALE-9301](https://issues.redhat.com/browse/THREESCALE-9301)
- Fixed APIcast panic when parsing invalid base64 encoded value [PR #1505](https://github.com/3scale/APIcast/pull/1505) [THEESCALE-11435](https://issues.redhat.com/browse/THREESCALE-11435)

### Added

Expand Down
5 changes: 4 additions & 1 deletion gateway/src/resty/http_authorization.lua
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,11 @@ local _M = {
local mt = { __index = _M }

function _M.parsers.Basic(param)
local userid, password
local user_pass = ngx.decode_base64(param)
local userid, password = match(user_pass, '^(.*):(.*)$')
if user_pass then
userid, password = match(user_pass, '^(.*):(.*)$')
end

return {
userid = userid,
Expand Down
7 changes: 7 additions & 0 deletions spec/resty/http_authorization_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,13 @@ describe('HTTP Authorization', function()
assert.equal('', auth.userid)
assert.equal('pass', auth.password)
end)

it('do not panic with invalid header', function()
local auth = authorization.new('Basic !123!')

assert.equal(nil, auth.userid)
assert.equal(nil, auth.password)
end)
end)

describe('Bearer', function()
Expand Down
Loading

0 comments on commit e2303b7

Please sign in to comment.