Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

room claim is always set to * #331

Open
micolous opened this issue Oct 11, 2024 · 0 comments
Open

room claim is always set to * #331

micolous opened this issue Oct 11, 2024 · 0 comments

Comments

@micolous
Copy link

micolous commented Oct 11, 2024
edited
Loading

jitsi-openid always creates a JWT with a room claim set to *:

jitsi-openid/src/routes.rs

Line 156 in eb7b9d7

"*".to_string(),

The room is saved to the session, and is used in that same handler to construct a final URL to send to Jitsi Meet:

jitsi-openid/src/routes.rs

Line 165 in eb7b9d7

let mut url = state.config.jitsi_url.join(&session.room).unwrap();

Also, the room session attribute itself is set from an external input:

jitsi-openid/src/routes.rs

Lines 36 to 40 in eb7b9d7

async fn room(
Path(room): Path<String>,
State(state): State<JitsiState>,
jar: CookieJar,
) -> impl IntoResponse {

This should reject setting it to *.

Properly scoping the JWT means you could also run the token_no_wildcard contrib plugin, so that Jitsi Meet any rejects token containing wildcards in the sub or room parameters, which could limit the scope of another security issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@micolous