Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use regex for bearer token validation #1998

Merged
merged 1 commit into from
Sep 26, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Use regex for bearer token validation
divergentdave committed Sep 26, 2023
commit d7147cde7c9de3e0dcfa1c52c885411247349364
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions core/Cargo.toml
Original file line number Diff line number Diff line change
@@ -47,6 +47,7 @@ kube = { workspace = true, optional = true, features = ["rustls-tls"] }
k8s-openapi = { workspace = true, optional = true }
prio.workspace = true
rand = "0.8"
regex = "1.9.5"
reqwest = { version = "0.11.20", default-features = false, features = ["rustls-tls", "json"] }
ring = "0.16.20"
serde.workspace = true
40 changes: 10 additions & 30 deletions core/src/auth_tokens.rs
Original file line number Diff line number Diff line change
@@ -2,12 +2,13 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
use derivative::Derivative;
use http::{header::AUTHORIZATION, HeaderValue};
use rand::{distributions::Standard, prelude::Distribution};
use regex::Regex;
use ring::{
constant_time,
digest::{digest, SHA256, SHA256_OUTPUT_LEN},
};
use serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};
use std::str;
use std::{str, sync::OnceLock};

/// HTTP header where auth tokens are provided in messages between participants.
pub const DAP_AUTH_HEADER: &str = "DAP-Auth-Token";
@@ -204,36 +205,15 @@ impl BearerToken {
/// Validate that a bearer token value matches the format in
/// https://datatracker.ietf.org/doc/html/rfc6750#section-2.1.
fn validate(value: &str) -> Result<(), anyhow::Error> {
let mut iter = value.chars();
let mut any_non_equals = false;
// First loop: consume "normal" characters, stop when we see an equals sign for padding or
// reach the end of the input.
for c in &mut iter {
match c {
'a'..='z' | 'A'..='Z' | '0'..='9' | '-' | '.' | '_' | '~' | '+' | '/' => {
any_non_equals = true;
}
'=' => {
if !any_non_equals {
return Err(anyhow::anyhow!("bearer token may not start with '='"));
}
break;
}
_ => return Err(anyhow::anyhow!("bearer token may not contain '{c}'")),
}
}
// Second loop: consume any further padding characters, if present.
for c in &mut iter {
match c {
'=' => {}
_ => {
return Err(anyhow::anyhow!(
"bearer token may only contain '=' at the end"
))
}
}
static REGEX: OnceLock<Regex> = OnceLock::new();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat-o, OnceLock was stabilized in 1.70, which is now our MSRV. We can probably drop lazy_static, with a bit of effort.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already done in #1852 😁

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha, while I was on vacation 😆


let regex = REGEX.get_or_init(|| Regex::new("^[-A-Za-z0-9._~+/]+=*$").unwrap());

if regex.is_match(value) {
Ok(())
} else {
Err(anyhow::anyhow!("bearer token has invalid format"))
}
Ok(())
}
}