datalust / seq-tickets

Issues, design discussions and feature roadmap for the Seq log server
https://datalust.co/seq
98 stars 5 forks source link

API key creation allows duplicate tokens in Norwegian/Danish locale #2102

Closed nblumhardt closed 8 months ago

nblumhardt commented 9 months ago

A culture-specific string comparison bug leads to some API key tokens not being recognized when the Seq server is running in a Norwegian or Danish locale.

Affected tokens are those that have a double A in the fourth and fifth character positions:

123AA456789012345678

In C#, k.Substring(0, 4) will result in "123A", but k.StartsWith("123A") is false, because AA is a digraph usually written as Å in Danish and Norwegian orthography.

The four-character API key token prefix comparison is not security-senstive, it's just a tag that can be used to identify the key, with the remaining characters forming the sensitive/secret API key proper.

The prefix is, however, used to optimize lookups for inbound previously-unseen API keys, given that storage is salted and hashed, preventing keys being looked up directly.

The bug causes the prefix lookup to fail, so keys are not found, and inbound requests end up consuming nontrivial CPU attempting to load the key each time. Attempts to re-create the key may result in duplicates, since the existing-key duplicate check relies on the same prefix lookup.

nblumhardt commented 8 months ago

We're bringing forward 2024.2 and will schedule this fix there.