Cherry-pick JWT CVE fix into 1.4 (#12)#2667
Conversation
* Fixed JWT CVE related to exact PATH matches (istio#9) * Fixed JWT CVE related to exact PATH matches Problem: The JWT filter when matching exact paths included query parameters which meant the JWT requirement could be bypassed by adding a "?" after the path. The API was intended to only work for URIs. Solution: The fix updates the match logic to only include URIs i.e. path stripped off the query section. Added unit tests to validate these cases. * Fixed formatting * Strip fragment of Path Added unit tests to validate combination of query & fragment * Fix lint * Minor refactoring and more unit test cases (istio#11) * Minor refactoring and more unit test cases * Lint fixes (cherry picked from commit 859552a)
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
googlebot
added
the
cla: no
istio-testing
added
the
size/M
howardjohn
added
cla: yes
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
4 participants
Fixed JWT CVE related to exact PATH matches (Add utils::Version object to remove version file in api_manager #9)
Fixed JWT CVE related to exact PATH matches
Problem: The JWT filter when matching exact paths included query parameters
which meant the JWT requirement could be bypassed by adding a "?" after the
path. The API was intended to only work for URIs.
Solution: The fix updates the match logic to only include URIs i.e. path
stripped off the query section.
Added unit tests to validate these cases.
Fixed formatting
Strip fragment of Path
Added unit tests to validate combination of query & fragment
Fix lint
Minor refactoring and more unit test cases (Use audiences field from AuthProvider if available #11)
Minor refactoring and more unit test cases
Lint fixes
(cherry picked from commit 859552a)
What this PR does / why we need it:
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note: