[release-1.5] Cherry-pick JWT CVE fix into 1.5#2718
[release-1.5] Cherry-pick JWT CVE fix into 1.5#2718istio-testing merged 1 commit intoistio:release-1.5from
Conversation
* Fixed JWT CVE related to exact PATH matches (istio#9) * Fixed JWT CVE related to exact PATH matches Problem: The JWT filter when matching exact paths included query parameters which meant the JWT requirement could be bypassed by adding a "?" after the path. The API was intended to only work for URIs. Solution: The fix updates the match logic to only include URIs i.e. path stripped off the query section. Added unit tests to validate these cases. * Fixed formatting * Strip fragment of Path Added unit tests to validate combination of query & fragment * Fix lint * Minor refactoring and more unit test cases (istio#11) * Minor refactoring and more unit test cases * Lint fixes Signed-off-by: Yangmin Zhu <ymzhu@google.com>
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
googlebot
added
the
cla: no
istio-testing
added
the
size/M
yangminzhu
added
cla: yes
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
|
Manually set cla: yes as @nrjpoddar has committed the same change to other branches. |
yangminzhu
changed the title
|
@istio/release-managers-1-5 could you take a look? we should have cherry-picked this sooner after https://istio.io/news/releases/1.4.x/announcing-1.4.4/, need one more PR to update the proxy sha in istio. thanks. |
4 participants
This is an automated cherry-pick of #2716