Cherry-pick JWT CVE fix into master#2716
Conversation
yangminzhu
added
the
cherrypick/release-1.5
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
googlebot
added
the
cla: no
yangminzhu
changed the title
istio-testing
added
the
size/M
* Fixed JWT CVE related to exact PATH matches (istio#9) * Fixed JWT CVE related to exact PATH matches Problem: The JWT filter when matching exact paths included query parameters which meant the JWT requirement could be bypassed by adding a "?" after the path. The API was intended to only work for URIs. Solution: The fix updates the match logic to only include URIs i.e. path stripped off the query section. Added unit tests to validate these cases. * Fixed formatting * Strip fragment of Path Added unit tests to validate combination of query & fragment * Fix lint * Minor refactoring and more unit test cases (istio#11) * Minor refactoring and more unit test cases * Lint fixes Signed-off-by: Yangmin Zhu <ymzhu@google.com>
yangminzhu
force-pushed
the
cp-jwt-fix
branch
from
c0eab42 to
a601dec
Compare
yangminzhu
added
the
cla: yes
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
yangminzhu
removed
the
cla: no
|
Manually set |
|
In response to a cherrypick label: new pull request created: #2718 |
4 participants
Fixed JWT CVE related to exact PATH matches (Add utils::Version object to remove version file in api_manager #9)
Fixed JWT CVE related to exact PATH matches
Problem: The JWT filter when matching exact paths included query parameters
which meant the JWT requirement could be bypassed by adding a "?" after the
path. The API was intended to only work for URIs.
Solution: The fix updates the match logic to only include URIs i.e. path
stripped off the query section.
Added unit tests to validate these cases.
Fixed formatting
Strip fragment of Path
Added unit tests to validate combination of query & fragment
Fix lint
Minor refactoring and more unit test cases (Use audiences field from AuthProvider if available #11)
Minor refactoring and more unit test cases
Lint fixes
What this PR does / why we need it:
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note: