Use regex for bearer token validation (#1998)

divviup · Sep 26, 2023 · 994f61e · 994f61e
1 parent b394036
commit 994f61e
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 30 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/core/Cargo.toml b/core/Cargo.toml
@@ -47,6 +47,7 @@ kube = { workspace = true, optional = true, features = ["rustls-tls"] }
 k8s-openapi = { workspace = true, optional = true }
 prio.workspace = true
 rand = "0.8"
+regex = "1.9.5"
 reqwest = { version = "0.11.20", default-features = false, features = ["rustls-tls", "json"] }
 ring = "0.16.20"
 serde.workspace = true

diff --git a/core/src/auth_tokens.rs b/core/src/auth_tokens.rs
@@ -2,12 +2,13 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use derivative::Derivative;
 use http::{header::AUTHORIZATION, HeaderValue};
 use rand::{distributions::Standard, prelude::Distribution};
+use regex::Regex;
 use ring::{
     constant_time,
     digest::{digest, SHA256, SHA256_OUTPUT_LEN},
 };
 use serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};
-use std::str;
+use std::{str, sync::OnceLock};
 
 /// HTTP header where auth tokens are provided in messages between participants.
 pub const DAP_AUTH_HEADER: &str = "DAP-Auth-Token";
@@ -204,36 +205,15 @@ impl BearerToken {
     /// Validate that a bearer token value matches the format in
     /// https://datatracker.ietf.org/doc/html/rfc6750#section-2.1.
     fn validate(value: &str) -> Result<(), anyhow::Error> {
-        let mut iter = value.chars();
-        let mut any_non_equals = false;
-        // First loop: consume "normal" characters, stop when we see an equals sign for padding or
-        // reach the end of the input.
-        for c in &mut iter {
-            match c {
-                'a'..='z' | 'A'..='Z' | '0'..='9' | '-' | '.' | '_' | '~' | '+' | '/' => {
-                    any_non_equals = true;
-                }
-                '=' => {
-                    if !any_non_equals {
-                        return Err(anyhow::anyhow!("bearer token may not start with '='"));
-                    }
-                    break;
-                }
-                _ => return Err(anyhow::anyhow!("bearer token may not contain '{c}'")),
-            }
-        }
-        // Second loop: consume any further padding characters, if present.
-        for c in &mut iter {
-            match c {
-                '=' => {}
-                _ => {
-                    return Err(anyhow::anyhow!(
-                        "bearer token may only contain '=' at the end"
-                    ))
-                }
-            }
+        static REGEX: OnceLock<Regex> = OnceLock::new();
+
+        let regex = REGEX.get_or_init(|| Regex::new("^[-A-Za-z0-9._~+/]+=*$").unwrap());
+
+        if regex.is_match(value) {
+            Ok(())
+        } else {
+            Err(anyhow::anyhow!("bearer token has invalid format"))
         }
-        Ok(())
     }
 }