-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ISSUE #4593] Add server identity to replace user-agent white list. #4683
Conversation
} else if (StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils | ||
.isNotBlank(authConfigs.getServerIdentityValue())) { | ||
String serverIdentity = req.getHeader(authConfigs.getServerIdentityKey()); | ||
if (authConfigs.getServerIdentityValue().equals(serverIdentity)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please note that comparing credential with equals
makes your application vulnerable to timing attack
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How to solve it? Can you provide some advise for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion, there is enough for equals. reason follow:
- Nacos is Internal IDC application, we recommend users use Nacos with internal network not public network, If hacker want to timing attack, the network has been controlled by hacker. And Cost much time to analyze package between nacos server.
- The key and value is defined by configuration file, as the first item said, if the internal network is in controlled by hacker. they can find the key and value by configuration file directly.
I'm not sure whether the timing attack is send a long string to hold equals resource. If so, I think we has no ability to solve all public application security problem
for an internal network application.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KomachiSion FYI maybe you should use MessageDigest.isEquals
* 'develop' of https://github.com/alibaba/nacos: For checkstyle fix: fix Jraft WriteRequest type problem. Add server identity to replace user-agent white list. (alibaba#4683)
…op-import-v1 * 'develop' of https://github.com/alibaba/nacos: Use SafeConstructor to parse yaml configuration for AbstractConfigChangeListener (alibaba#4753) [ISSUE alibaba#3922] method createServiceIfAbsent in ServiceManager require sync (alibaba#4713) fix cloning configuration last desc (alibaba#4697) [ISSUE alibaba#4661]configServletInner#doGetConfig code optimization (alibaba#4666) Use revision to set version and upgrade to 1.4.2-SNAPSHOT (alibaba#4711) Revert interceptor all ui problem Fix alibaba#4701 (alibaba#4703) delete comment. fix metadata batch operation may delete instance problem. Upgrade to 1.4.1 (alibaba#4695) fix alibaba#4686 (alibaba#4692) Build nacos console front for 1.4.1 (alibaba#4690) For checkstyle fix: fix Jraft WriteRequest type problem. Add server identity to replace user-agent white list. (alibaba#4683)
Please do not create a Pull Request without creating an issue first.
What is the purpose of the change
For #4593 , Add server identity to replace user-agent white list.
Templately Fix security problem. User can shutdown user-agent white list and defined their own identity key and value for request between servers.
Brief changelog
Verifying this change
XXXX
Follow this checklist to help us incorporate your contribution quickly and easily:
[ISSUE #123] Fix UnknownException when host config not exist
. Each commit in the pull request should have a meaningful subject line and body.mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true
to make sure basic checks pass. Runmvn clean install -DskipITs
to make sure unit-test pass. Runmvn clean test-compile failsafe:integration-test
to make sure integration-test pass.