Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StringIndexOutOfBoundsException on OAuth2AuthMechanism #42591

Closed
cunhafinrix opened this issue Aug 16, 2024 · 3 comments · Fixed by #42595
Closed

StringIndexOutOfBoundsException on OAuth2AuthMechanism #42591

cunhafinrix opened this issue Aug 16, 2024 · 3 comments · Fixed by #42595
Labels
kind/bug Something isn't working
Milestone
3.13.3

Comments

@cunhafinrix
Copy link

Describe the bug

I'm seeing a StringIndexOutOfBoundsException when the Authorization header is not valid

Expected behavior

It should return an invalid header

Actual behavior

throwing StringIndexOutOfBoundsException

How to Reproduce?

We have an application deployed and we get the usual random worldpress requests trying to access our system, most of the requests don't cause any issues but from time to time we get a 500, the last time we saw the 500 error we noticed this error message on our logs java.lang.StringIndexOutOfBoundsException: begin 7, end 6, length 6. Looking at the entire error log we noticed that the error was being thrown inside elytron-security-oauth2 more specifically in here.

What is causing this error is the fact that the "malicious" user is not setting the Bearer token correctly. When the user sends an empty Bearer the code throws an error.

Output of uname -a or ver

No response

Output of java -version

21

Quarkus version or git rev

3.14.2

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

The error is caused by the string size not being checked before the substring method is called.

Potential solution

String authHeader = context.request().headers().get("Authorization");
String bearerToken = null;
if (authHeader != null && authHeader.length() > 7) {  // Ensure authHeader is long enough
    bearerToken = authHeader.substring(7);
}
if (bearerToken != null && !bearerToken.isEmpty()) {
    // Install the OAuth2 principal as the caller
    return identityProviderManager
            .authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));
}
// No suitable header has been found in this request,
return Uni.createFrom().nullItem();
@cunhafinrix cunhafinrix added the kind/bug Something isn't working label Aug 16, 2024
@gsmet
Copy link
Member

gsmet commented Aug 16, 2024

I think we should also check that the string starts with ´Bearer ´. Probably case insensitively.

Because atm, we are somehow implying it which is a bad idea.

@gsmet
Copy link
Member

gsmet commented Aug 16, 2024

From what I can see here, we can be case sensitive: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1

@gsmet gsmet mentioned this issue Aug 16, 2024
Merged
@gsmet
Copy link
Member

gsmet commented Aug 16, 2024

#42595 should address it. Thanks for the very detailed report.

@quarkus-bot quarkus-bot bot added this to the 3.16 - main milestone Aug 16, 2024
vsevel pushed a commit to vsevel/quarkus that referenced this issue Aug 19, 2024
@gsmet @vsevel
Properly check header before extracting the bearer token
e60b073 
Fixes quarkusio#42591
@gsmet gsmet modified the milestones: 3.16 - main, 3.13.3 Aug 19, 2024
gsmet added a commit to gsmet/quarkus that referenced this issue Aug 19, 2024
@gsmet
Properly check header before extracting the bearer token
2b8983f 
Fixes quarkusio#42591

(cherry picked from commit 51834c5)
gsmet added a commit to gsmet/quarkus that referenced this issue Aug 20, 2024
@gsmet
Properly check header before extracting the bearer token
d668f12 
Fixes quarkusio#42591

(cherry picked from commit 51834c5)
danielsoro pushed a commit to danielsoro/quarkus that referenced this issue Sep 20, 2024
@gsmet @danielsoro
Properly check header before extracting the bearer token
e075b0a 
Fixes quarkusio#42591
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
3.13.3
Development

Successfully merging a pull request may close this issue.

Properly check header before extracting the bearer token gsmet/quarkus
2 participants
@gsmet @cunhafinrix