Missing sub or emailAddress leads to segmentation fault

[max-lt]

Missing sub or emailAddress leads to segmentation fault

When checking a token that have no "emailAddress" or/and "sub" field, nginx worker process get killed for segfault.

without emailAddress:

 [error] 12#0: *9 auth_jwt_validation_type.len 17, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [error] 12#0: *9 the jwt does not contain an email address, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [notice] 1#0: signal 17 (SIGCHLD) received
 [alert] 1#0: worker process 12 exited on signal 11 (core dumped)
 [notice] 1#0: start worker process 13

without sub:

 [error] 10#0: *7 auth_jwt_validation_type.len 17, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [error] 10#0: *7 the jwt does not contain a subject, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [notice] 1#0: signal 17 (SIGCHLD) received
 [alert] 1#0: worker process 10 exited on signal 11 (core dumped)
 [notice] 1#0: start worker process 11

Workaround:

Adding goto redirect; at the end of the two blocks that make these verifications does the trick BUT as we face a JWT that have been correctly signed but does not meets requirements I suggest not to redirect to the authentication server (if redirect set) to avoid redirection loop nor returning with a 401 status (because it could be handled with the nginx's error_page directive (like error_page 401 = /go_to_login;) and lead to a redirection loop too. Adding a else block with the custom headers affectation works as well.. but headers will be unset.

For now, i'm returning a 403 (NGX_HTTP_FORBIDDEN) code because a 403 response should prevent the request to be repeated (https://tools.ietf.org/html/rfc2616#section-10.4.2).

How to reproduce:

In your nginx.conf file: change your error_log to error_log /dev/stderr info; (you wont see anything otherwise).

Run tests with:

# Missing "sub"
VALIDJWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmaXJzdE5hbWUiOiJoZWxsbyIsImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwicm9sZXMiOlsidGhpcyIsInRoYXQiLCJ0aGVvdGhlciJdLCJpc3MiOiJpc3N1ZXIiLCJwZXJzb25JZCI6Ijc1YmIzY2M3LWI5MzMtNDRmMC05M2M2LTE0N2IwODJmYWRiNSIsImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.lD6jUsazVtzeGhRTNeP_b2Zs6O798V2FQql11QOEI1Q

# Missing "email"
VALIDJWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwibGFzdE5hbWUiOiJ3b3JsZCIsInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwiaXNzIjoiaXNzdWVyIiwicGVyc29uSWQiOiI3NWJiM2NjNy1iOTMzLTQ0ZjAtOTNjNi0xNDdiMDgyZmFkYjUiLCJleHAiOjE5MDg4MzUyMDAsImlhdCI6MTQ4ODgxOTYwMCwidXNlcm5hbWUiOiJoZWxsby53b3JsZCJ9.tJoAl_pvq95hK7GKqsp5TU462pLTbmSYZc1fAHzcqWM

[fitzyjoe]

Thanks @maxx-t . This crept into the code when I started setting headers for these fields so I can log them. I've commited a code change to include the two test JWT's in this issue and some code to only set the headers when the values are present in the JWT.

[kevinmichaelchen]

For posterity: see #29