-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
241015 main from release ( v3.2.1 ) #545
Conversation
tks 요청이 정책에 차단되지 않도록 템플릿 생성 시 가드 추가
feature. add api to audit
[RE] bugfix. fix permission ordering error
feature. change audit scheme and remove database constraint
trivial. fix typo
trivial. add organization name to audits
trivial. add favorite field to stack response
trivial. add appserveapps count to stack response
20240425 change projects function
feature. personalization systemNotifications
파라미터 추출 개선, 글로벌 변수 할당 처리
feature. change email html
including deprecation of legacy one
trivial. update html temporary_password
trivial. minor fixes
trivial. fix parameters for creating lma
trivial. fix minor bug
feature. add import api to stacks resource
feature. add import api to stacks resource
trivial. change type to string from []byte for kubeconfig
trivial. change type to string from []byte for kubeconfig
feature. add GetCloudServices to stack-template API
feature. add pprof for profiling
trivial. remove omitempty for getStack response
trivial. change deliminator for domains
trivial. change deliminator for domains
trivial. fix lint error
20241002 release from develop
@@ -37,3 +38,18 @@ | |||
} | |||
return token, err | |||
} | |||
|
|||
func StringToTokenWithoutVerification(tokenString string) (*jwt.Token, error) { | |||
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}) |
Check failure
Code scanning / CodeQL
Missing JWT signature check High
this user-controlled source
This JWT is parsed without verification and received from
this user-controlled source
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that the JWT is always parsed with signature verification. This involves replacing the StringToTokenWithoutVerification
function with a function that verifies the token's signature using a predefined signing key. We will use the jwt.Parse
method with a key function to achieve this.
- Replace the
StringToTokenWithoutVerification
function ininternal/helper/jwt.go
with a new function that verifies the token's signature. - Update the
AuthenticateToken
method ininternal/middleware/auth/authenticator/keycloak/keycloak.go
to use the new function.
-
Copy modified lines R42-R46 -
Copy modified line R48
@@ -41,6 +41,9 @@ | ||
|
||
func StringToTokenWithoutVerification(tokenString string) (*jwt.Token, error) { | ||
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}) | ||
func VerifyTokenWithClaims(tokenString string) (*jwt.Token, error) { | ||
signingKey := []byte(viper.GetString("jwt-secret")) | ||
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { | ||
return signingKey, nil | ||
}) | ||
if err != nil { | ||
return nil, fmt.Errorf("invalid token") | ||
return nil, fmt.Errorf("invalid token: %v", err) | ||
} |
-
Copy modified line R52
@@ -51,3 +51,3 @@ | ||
func (a *keycloakAuthenticator) AuthenticateToken(r *http.Request, token string) (*authenticator.Response, bool, error) { | ||
parsedToken, err := helper.StringToTokenWithoutVerification(token) | ||
parsedToken, err := helper.VerifyTokenWithClaims(token) | ||
if err != nil { |
241015 main from release ( v3.2.1 )