search

TykTechnologies / tyk

Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
Other
9.65k stars 1.08k forks source link

Security: Custom tokens are not secure #2516

Closed ilijabojanovic closed 4 years ago

ilijabojanovic commented 5 years ago

Branch/Environment/Version

Describe the bug Related to: https://github.com/TykTechnologies/product/issues/165

When we create custom token, we can manipulate with characters. Example: custom token ilijaaa, gateway will pass traffic for tokens ilij, ilija, ilijaa

Reproduction steps Steps to reproduce the behavior:

  1. Create custom api token 
    curl -X GET \
http://www.tyk-test.com:3000/api/keys/ilijaaa \
-H 'Accept: */*' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Authorization: c3a8dfbbdcf547446b96fd5b2e5d8728' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Length: 860' \
-H 'Content-Type: application/json' \
-H 'Host: www.tyk-test.com:3000' \
-H 'User-Agent: PostmanRuntime/7.17.1' \
-H 'cache-control: no-cache' \
-d '{
"last_check": 0,
"certificate": null,
"allowance": 1000,
"hmac_enabled": false,
"hmac_string": "",
"basic_auth_data": {
    "password": ""
},
"rate": 1000,
"per": 60,
"throttle_interval": -1,
"throttle_retry_limit": -1,
"expires": 1568811574,
"quota_max": -1,
"quota_renews": 1568807973,
"quota_remaining": -1,
"quota_renewal_rate": -1,
"access_rights": {
    "d7fef4e0752b4f4178f8ba2dbcc15221": {
        "api_id": "d7fef4e0752b4f4178f8ba2dbcc15221",
        "api_name": "api",
        "versions": [
            "Default"
        ],
        "allowed_urls": [],
        "limit": null
    }
},
"apply_policy_id": "",
"apply_policies": [],
"tags": [],
"jwt_data": {
    "secret": ""
},
"meta_data": {},
"alias": ""
}'
  2. Generate traffic to api with Authorization header 'Authorization: ilij`

Actual behavior Invalid tokens will pass auth middleware and gateway will proxy request

Expected behavior Gateway should reject invalid tokens

Screenshots/Video If applicable, add screenshots or video to help explain your problem.

Logs (debug mode or log file): Log from console or from log file.

Configuration (tyk config file): Gw configuration|:

{
    "listen_address": "",
    "listen_port": 8181,
    "secret": "352d20ee67be67f6340b4c0605b044b7",
    "node_secret": "352d20ee67be67f6340b4c0605b044b7",
    "template_path": "./templates",
    "tyk_js_path": "./js/tyk.js",
    "middleware_path": "./middleware",
    "policies": {
        "policy_source": "service",
        "policy_connection_string": "http://tyk-dashboard:3000",
        "policy_record_name": "tyk_policies",
        "allow_explicit_policy_id": true
    },
    "use_db_app_configs": true,
    "db_app_conf_options": {
        "connection_string": "http://tyk-dashboard:3000",
        "node_is_segmented": false,
        "tags": null
    },
    "disable_dashboard_zeroconf": false,
    "app_path": "./test_apps/",
    "storage": {
        "type": "redis",
        "host": "",
        "port": 0,
        "hosts": {
            "tyk-redis": "6379"
        },
        "username": "",
        "password": "",
        "database": 0,
        "optimisation_max_idle": 3000,
        "optimisation_max_active": 5000,
        "enable_cluster": false
    },
    "enable_separate_cache_store": false,
    "cache_storage": {
        "type": "redis",
        "host": "",
        "port": 0,
        "hosts": {
            "localhost": "6379"
        },
        "username": "",
        "password": "",
        "database": 0,
        "optimisation_max_idle": 3000,
        "optimisation_max_active": 5000,
        "enable_cluster": false
    },
       "enable_analytics": true,
    "analytics_config": {
        "type": "mongo",
        "ignored_ips": [],
        "enable_detailed_recording": true,
        "enable_geo_ip": false,
        "geo_ip_db_path": "./GeoLite2-City.mmdb",
        "normalise_urls": {
            "enabled": true,
            "normalise_uuids": true,
            "normalise_numbers": true,
            "custom_patterns": []
        }
    },
    "health_check": {
        "enable_health_checks": false,
        "health_check_value_timeouts": 0
    },
    "optimisations_use_async_session_write": false,
    "allow_master_keys": false,
    "hash_keys": true,
    "hash_key_function": "murmur64",
    "suppress_redis_signal_reload": false,
    "suppress_default_org_store": false,
    "use_redis_log": true,
    "sentry_code": "",
    "use_sentry": false,
    "use_syslog": false,
    "use_graylog": false,
    "use_logstash": false,
    "graylog_network_addr": "",
    "logstash_network_addr": "",
    "syslog_transport": "",
    "logstash_transport": "",
    "syslog_network_addr": "",
    "enforce_org_data_age": true,
    "enforce_org_data_detail_logging": false,
    "enforce_org_quotas": true,
    "experimental_process_org_off_thread": true,
    "enable_non_transactional_rate_limiter": true,
    "enable_sentinel_rate_limiter": false,
    "management_node": false,
    "Monitor": {
        "enable_trigger_monitors": false,
        "configuration": {
            "method": "",
            "target_path": "",
            "template_path": "",
            "header_map": null,
            "event_timeout": 0
        },
        "global_trigger_limit": 0,
        "monitor_user_keys": false,
        "monitor_org_keys": false
    },
    "oauth_refresh_token_expire": 0,
    "oauth_token_expire": 0,
    "oauth_redirect_uri_separator": ";",
     "slave_options": {
        "use_rpc": false,
        "connection_string": "",
        "rpc_key": "",
        "api_key": "",
        "enable_rpc_cache": false,
        "bind_to_slugs": false,
        "disable_keyspace_sync": false,
        "group_id": ""
    },
    "disable_virtual_path_blobs": false,
    "local_session_cache": {
        "disable_cached_session_state": true,
        "cached_session_timeout": 0,
        "cached_session_eviction": 0
    },
    "http_server_options": {
        "override_defaults": false,
        "read_timeout": 0,
        "write_timeout": 0,
        "use_ssl": true,
        "use_ssl_le": false,
        "enable_websockets": true,
        "skip_url_cleaning": true,
        "skip_target_path_escaping": true,
        "ssl_insecure_skip_verify": true,
        "certificates": [{
            "cert_file": "/etc/ssl/certs/server.crt",
            "key_file": "/etc/ssl/certs/server.key"
        }],
        "server_name": "",
        "min_version": 0,
        "flush_interval": 0
    },
    "service_discovery": {
        "default_cache_timeout": 0
    },
    "close_connections": true,
    "auth_override": {
        "force_auth_provider": false,
        "auth_provider": {
            "name": "",
            "storage_engine": "",
            "meta": null
        },
        "force_session_provider": false,
        "session_provider": {
            "name": "",
            "storage_engine": "",
            "meta": null
        }
    },
    "uptime_tests": {
        "disable": false,
        "config": {
            "failure_trigger_sample_size": 1,
            "time_wait": 2,
            "checker_pool_size": 50,
            "enable_uptime_analytics": true
        }
    },
    "hostname": "",
    "enable_api_segregation": false,
    "control_api_hostname": "",
    "enable_custom_domains": true,
    "enable_jsvm": true,
    "hide_generator_header": false,
    "event_handlers": {
        "events": {}
    },
    "event_trigers_defunct": {},
    "pid_file_location": "./tyk-gateway.pid",
    "allow_insecure_configs": true,
    "public_key_path": "/home/tyk/go/src/github.com/lonelycode/tyk-cloud-config-v2/keys/public.pem",
    "close_idle_connections": false,
    "allow_remote_config": true,
    "enable_bundle_downloader": true,
    "bundle_base_url": "http://192.168.1.50:8000/",
    "enable_hashed_keys_listing": true,
    "coprocess_options": {
        "enable_coprocess": true,
        "python_path_prefix": "/develop/go/src/github.com/TykTechnologies/tyk"
    }
}

Additional context Add any other context about the problem here.

sedkis commented 5 years ago

This is the same with regular auth tokens. Didn't we say this is because of the default hashing algorithm?

These tokens all work: Actual token: 5d431f8d06ac9e183bf49f9c3ce6068a57a945c2a5d8145bc12c6d0e all work: 5d431f8d06ac9e183bf49f9c3ce6068a57a945c2a5d8145bc12c6d0e1 5d431f8d06ac9e183bf49f9c3ce6068a57a945c2a5d8145bc12c6d0e11 5d431f8d06ac9e183bf49f9c3ce6068a57a945c2a5d8145bc12c6d0e111

buger commented 5 years ago

It really looks like old murmur32 bug, but new keys working with new key format, and @ilijabojanovic told that he have murmur64 in this config

sedkis commented 5 years ago

I'm on release-2.8 and using default (nothing set in config) - hope that helps.

furkansenharputlu commented 4 years ago

I couldn't reproduce this issue. We had a call with @ilijabojanovic and we need @maciejwojciechowski's confirmation.

maciejwojciechowski commented 4 years ago

@ilijabojanovic @furkansenharputlu I am not able to reproduce it on my local with murmur64

ilijabojanovic commented 4 years ago

Fixed