Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE #4593] Add server identity to replace user-agent white list. #4683

Merged
merged 1 commit into from
Jan 13, 2021

Conversation

KomachiSion
Copy link
Collaborator

Please do not create a Pull Request without creating an issue first.

What is the purpose of the change

For #4593 , Add server identity to replace user-agent white list.

Templately Fix security problem. User can shutdown user-agent white list and defined their own identity key and value for request between servers.

Brief changelog

  • Add server identity to replace user-agent white list.

Verifying this change

XXXX

Follow this checklist to help us incorporate your contribution quickly and easily:

  • Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
  • Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
  • Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass.

@KomachiSion KomachiSion added the kind/enhancement Category issues or prs related to enhancement. label Jan 13, 2021
@KomachiSion KomachiSion added this to the 1.4.1 milestone Jan 13, 2021
@KomachiSion KomachiSion changed the title Add server identity to replace user-agent white list. [ISSUE #4593] Add server identity to replace user-agent white list. Jan 13, 2021
@KeRan213539 KeRan213539 merged commit 9989473 into alibaba:develop Jan 13, 2021
@KomachiSion KomachiSion deleted the develop-issue#4593 branch January 13, 2021 06:14
} else if (StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils
.isNotBlank(authConfigs.getServerIdentityValue())) {
String serverIdentity = req.getHeader(authConfigs.getServerIdentityKey());
if (authConfigs.getServerIdentityValue().equals(serverIdentity)) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that comparing credential with equals makes your application vulnerable to timing attack

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How to solve it? Can you provide some advise for this?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, there is enough for equals. reason follow:

  1. Nacos is Internal IDC application, we recommend users use Nacos with internal network not public network, If hacker want to timing attack, the network has been controlled by hacker. And Cost much time to analyze package between nacos server.
  2. The key and value is defined by configuration file, as the first item said, if the internal network is in controlled by hacker. they can find the key and value by configuration file directly.

I'm not sure whether the timing attack is send a long string to hold equals resource. If so, I think we has no ability to solve all public application security problem for an internal network application.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KomachiSion FYI maybe you should use MessageDigest.isEquals

wjm0729 added a commit to wjm0729/nacos that referenced this pull request Jan 21, 2021
* 'develop' of https://github.com/alibaba/nacos:
  For checkstyle
  fix: fix Jraft WriteRequest type problem.
  Add server identity to replace user-agent white list. (alibaba#4683)
wjm0729 added a commit to wjm0729/nacos that referenced this pull request Jan 21, 2021
…op-import-v1

* 'develop' of https://github.com/alibaba/nacos:
  Use SafeConstructor to parse yaml configuration for AbstractConfigChangeListener (alibaba#4753)
  [ISSUE alibaba#3922] method createServiceIfAbsent in ServiceManager require sync (alibaba#4713)
  fix cloning configuration last desc (alibaba#4697)
  [ISSUE alibaba#4661]configServletInner#doGetConfig code optimization (alibaba#4666)
  Use revision to set version and upgrade to 1.4.2-SNAPSHOT (alibaba#4711)
  Revert interceptor all ui problem
  Fix alibaba#4701 (alibaba#4703)
  delete comment.
  fix metadata batch operation may delete instance problem.
  Upgrade to 1.4.1 (alibaba#4695)
  fix alibaba#4686 (alibaba#4692)
  Build nacos console front for 1.4.1 (alibaba#4690)
  For checkstyle
  fix: fix Jraft WriteRequest type problem.
  Add server identity to replace user-agent white list. (alibaba#4683)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Category issues or prs related to enhancement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants