search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.49k stars 73 forks source link

Multiple Panics when Parsing Caddyfile #263

Open ahpaleus opened 1 year ago

ahpaleus commented 1 year ago

Severity: Low

Multiple parsing functions do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a Caddyfile may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.

Integrate nil checks for input values before element access across all relevant functions to address these issues.

To prevent similar issues of this type, add Golang’s native fuzz tests for Caddyfile parsing functions.

Example crashes:

func TestCrashCredentialsUsername(t *testing.T) {
    file := caddyfile.NewTestDispenser(string("0 { credentials 0 { username"))
    parseCaddyfile(file, nil)
}

func TestCrashCredentialsDomain(t *testing.T) {
    file := caddyfile.NewTestDispenser(string("0 { credentials 0 { domain"))
    parseCaddyfile(file, nil)
}

func TestCrashSSOProvider(t *testing.T) {
    file := caddyfile.NewTestDispenser(string("00 {  sso provider 0 {  entity_id"))
    parseCaddyfile(file, nil)
}

func TestCrashParseCaddyfileMessaging(t *testing.T) {
    file := caddyfile.NewTestDispenser(string("0 { messaging email provider 0 { address"))
    parseCaddyfile(file, nil)
}

Example crash log:

=== RUN   TestCrashCredentials
--- FAIL: TestCrashCredentials (0.00s)
panic: runtime error: index out of range [0] with length 0 [recovered]
    panic: runtime error: index out of range [0] with length 0

goroutine 40 [running]:
testing.tRunner.func1.2({0x2421580, 0xc000154b28})
    /usr/local/opt/go/libexec/src/testing/testing.go:1526 +0x24e
testing.tRunner.func1()
    /usr/local/opt/go/libexec/src/testing/testing.go:1529 +0x39f
panic({0x2421580, 0xc000154b28})
    /usr/local/opt/go/libexec/src/runtime/panic.go:884 +0x213
github.com/greenpau/caddy-security.parseCaddyfileCredentials(0xc000c50ae0, 0x19462d1?, 0xc00081b760)
    audit-caddy/audit-caddy-security/caddyfile_credentials.go:53 +0x534
github.com/greenpau/caddy-security.parseCaddyfile(0xc000c50ae0, {0xc000161760?, 0x1092fb7?})
    audit-caddy/audit-caddy-security/caddyfile.go:60 +0x392
github.com/greenpau/caddy-security.TestCrashCredentials(0x0?)
    audit-caddy/audit-caddy-security/caddyfile_authn_test.go:986 +0x2e
testing.tRunner(0xc000502340, 0x2ddadc0)
    /usr/local/opt/go/libexec/src/testing/testing.go:1576 +0x10b
created by testing.(*T).Run
    /usr/local/opt/go/libexec/src/testing/testing.go:1629 +0x3ea

More information about our public disclosure: