Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

241015 main from release ( v3.2.1 ) #545

Merged
merged 830 commits into from
Oct 15, 2024
Merged

241015 main from release ( v3.2.1 ) #545

merged 830 commits into from
Oct 15, 2024

Conversation

ktkfree
Copy link
Contributor

@ktkfree ktkfree commented Oct 15, 2024

241015 main from release ( v3.2.1 )

ktkfree and others added 30 commits April 25, 2024 11:29
tks 요청이 정책에 차단되지 않도록 템플릿 생성 시 가드 추가
[RE] bugfix. fix permission ordering error
feature. change audit scheme and remove database constraint
trivial. add organization name to audits
trivial. add favorite field to stack response
trivial. add appserveapps count to stack response
feature. personalization systemNotifications
파라미터 추출 개선, 글로벌 변수 할당 처리
including deprecation of legacy one
trivial. update html temporary_password
ktkfree and others added 28 commits July 11, 2024 13:46
trivial. fix parameters for creating lma
feature. add import api to stacks resource
feature. add import api to stacks resource
trivial. change type to string from []byte for kubeconfig
trivial. change type to string from []byte for kubeconfig
feature. add GetCloudServices to stack-template API
feature. add pprof for profiling
trivial. remove omitempty for getStack response
trivial. change deliminator for domains
trivial. change deliminator for domains
20241002 release from develop
@@ -37,3 +38,18 @@
}
return token, err
}

func StringToTokenWithoutVerification(tokenString string) (*jwt.Token, error) {
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})

Check failure

Code scanning / CodeQL

Missing JWT signature check High

This JWT is parsed without verification and received from
this user-controlled source
.
This JWT is parsed without verification and received from
this user-controlled source
.

Copilot Autofix AI 3 months ago

To fix the problem, we need to ensure that the JWT is always parsed with signature verification. This involves replacing the StringToTokenWithoutVerification function with a function that verifies the token's signature using a predefined signing key. We will use the jwt.Parse method with a key function to achieve this.

  1. Replace the StringToTokenWithoutVerification function in internal/helper/jwt.go with a new function that verifies the token's signature.
  2. Update the AuthenticateToken method in internal/middleware/auth/authenticator/keycloak/keycloak.go to use the new function.
Suggested changeset 2
internal/helper/jwt.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/internal/helper/jwt.go b/internal/helper/jwt.go
--- a/internal/helper/jwt.go
+++ b/internal/helper/jwt.go
@@ -41,6 +41,9 @@
 
-func StringToTokenWithoutVerification(tokenString string) (*jwt.Token, error) {
-	token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+func VerifyTokenWithClaims(tokenString string) (*jwt.Token, error) {
+	signingKey := []byte(viper.GetString("jwt-secret"))
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		return signingKey, nil
+	})
 	if err != nil {
-		return nil, fmt.Errorf("invalid token")
+		return nil, fmt.Errorf("invalid token: %v", err)
 	}
EOF
@@ -41,6 +41,9 @@

func StringToTokenWithoutVerification(tokenString string) (*jwt.Token, error) {
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
func VerifyTokenWithClaims(tokenString string) (*jwt.Token, error) {
signingKey := []byte(viper.GetString("jwt-secret"))
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return signingKey, nil
})
if err != nil {
return nil, fmt.Errorf("invalid token")
return nil, fmt.Errorf("invalid token: %v", err)
}
internal/middleware/auth/authenticator/keycloak/keycloak.go
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/internal/middleware/auth/authenticator/keycloak/keycloak.go b/internal/middleware/auth/authenticator/keycloak/keycloak.go
--- a/internal/middleware/auth/authenticator/keycloak/keycloak.go
+++ b/internal/middleware/auth/authenticator/keycloak/keycloak.go
@@ -51,3 +51,3 @@
 func (a *keycloakAuthenticator) AuthenticateToken(r *http.Request, token string) (*authenticator.Response, bool, error) {
-	parsedToken, err := helper.StringToTokenWithoutVerification(token)
+	parsedToken, err := helper.VerifyTokenWithClaims(token)
 	if err != nil {
EOF
@@ -51,3 +51,3 @@
func (a *keycloakAuthenticator) AuthenticateToken(r *http.Request, token string) (*authenticator.Response, bool, error) {
parsedToken, err := helper.StringToTokenWithoutVerification(token)
parsedToken, err := helper.VerifyTokenWithClaims(token)
if err != nil {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@ktkfree ktkfree merged commit b4925d5 into main Oct 15, 2024
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants