Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Breach! #26

Open
stravid87 opened this issue Oct 28, 2024 · 0 comments
Open

Security Breach! #26

stravid87 opened this issue Oct 28, 2024 · 0 comments
Assignees
@huzaifamk

Comments

@stravid87
Copy link
Contributor

Description
After reviewing the Layer8 interceptor / middleware, I notice that we are sending the shared secret across the network???? Bad idea!

	initECDH := func() interface{} {
		secret, pub, mpjwt, err := internals.InitializeECDH(goHeaders)
		if err != nil {
			println(err.Error())
			res.Set("statusCode", 500)
			res.Set("statusMessage", "Failure to initialize ECDH")
			res.Call("end", "500 Internal Server Error")
			return nil
		}

		res.Set("statusCode", 200)
		res.Set("statusMessage", "ECDH Successfully Completed!")
		res.Call("setHeader", "x-shared-secret", secret)
		res.Call("setHeader", "mp-JWT", mpjwt)
		res.Call("end", pub)
		return nil
	}

In the interceptor we don't seem to use the x-shared-secret header... so why are we including it? Likely for debugging purposes. Please try to remove this line, res.Call("setHeader", "x-shared-secret", secret), and then test:.

Acceptance Criteria
The interceptor, proxy, middleware still work with this line commented out.
@stravid87 stravid87 added this to Layer8 Oct 28, 2024
@stravid87 stravid87 moved this to Specification Done in Layer8 Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@huzaifamk huzaifamk

Labels
None yet
Projects
Layer8
Status: Specification Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@huzaifamk @stravid87