aporeto-inc / trireme-lib

Simple, scalable and secure application segmentation
https://trireme.io
Apache License 2.0
300 stars 51 forks source link

fix: panic when the token is malformed #951

Closed sibicramesh closed 4 years ago

sibicramesh commented 4 years ago

NOTE: This fix only avoids the crash. This doesn't explain why the token was messed up in the first place.

The issue here is the signature position in the token is missing and the check for that was absent. We then proceed to extract the signature from this position in this case will be 0. So is this panic

panic: runtime error: slice bounds out of range [22:0]

Added unit tests to avoid regression.

Full stack here enforcerd.log

sibicramesh commented 4 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "",
    "component": "enforcerd",
    "pr-id": "1551",
    "commit-sha": "dc8842341f71ce64692c8184b81a3a97bca94403",
    "pipeline": "master"
  },
  {
    "project": "",
    "component": "trireme-lib",
    "pr-id": "951",
    "commit-sha": "9cbbc4d1b9c17c5ba77bca07c0b623d79c09e536",
    "pipeline": "master"
  }
]
codecov[bot] commented 4 years ago

Codecov Report

Merging #951 into master will increase coverage by 0.05%. The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #951      +/-   ##
==========================================
+ Coverage   54.87%   54.92%   +0.05%     
==========================================
  Files         123      123              
  Lines       11735    11735              
==========================================
+ Hits         6439     6445       +6     
+ Misses       4674     4671       -3     
+ Partials      622      619       -3
Impacted Files Coverage Δ
controller/pkg/tokens/binaryjwt.go 63.39% <100%> (+2.67%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 619a1fd...9cbbc4d. Read the comment docs.