Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use regex for bearer token validation #1998

Merged
merged 1 commit into from
Sep 26, 2023
Merged

Use regex for bearer token validation #1998

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions core/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ kube = { workspace = true, optional = true, features = ["rustls-tls"] }
k8s-openapi = { workspace = true, optional = true }
prio.workspace = true
rand = "0.8"
regex = "1.9.5"
reqwest = { version = "0.11.20", default-features = false, features = ["rustls-tls", "json"] }
ring = "0.16.20"
serde.workspace = true
Expand Down
40 changes: 10 additions & 30 deletions core/src/auth_tokens.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
use derivative::Derivative;
use http::{header::AUTHORIZATION, HeaderValue};
use rand::{distributions::Standard, prelude::Distribution};
use regex::Regex;
use ring::{
constant_time,
digest::{digest, SHA256, SHA256_OUTPUT_LEN},
};
use serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};
use std::str;
use std::{str, sync::OnceLock};

/// HTTP header where auth tokens are provided in messages between participants.
pub const DAP_AUTH_HEADER: &str = "DAP-Auth-Token";
Expand Down Expand Up @@ -204,36 +205,15 @@ impl BearerToken {
/// Validate that a bearer token value matches the format in
/// https://datatracker.ietf.org/doc/html/rfc6750#section-2.1.
fn validate(value: &str) -> Result<(), anyhow::Error> {
let mut iter = value.chars();
let mut any_non_equals = false;
// First loop: consume "normal" characters, stop when we see an equals sign for padding or
// reach the end of the input.
for c in &mut iter {
match c {
'a'..='z' | 'A'..='Z' | '0'..='9' | '-' | '.' | '_' | '~' | '+' | '/' => {
any_non_equals = true;
}
'=' => {
if !any_non_equals {
return Err(anyhow::anyhow!("bearer token may not start with '='"));
}
break;
}
_ => return Err(anyhow::anyhow!("bearer token may not contain '{c}'")),
}
}
// Second loop: consume any further padding characters, if present.
for c in &mut iter {
match c {
'=' => {}
_ => {
return Err(anyhow::anyhow!(
"bearer token may only contain '=' at the end"
))
}
}
static REGEX: OnceLock<Regex> = OnceLock::new();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat-o, OnceLock was stabilized in 1.70, which is now our MSRV. We can probably drop lazy_static, with a bit of effort.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already done in #1852 😁

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha, while I was on vacation 😆


let regex = REGEX.get_or_init(|| Regex::new("^[-A-Za-z0-9._~+/]+=*$").unwrap());

if regex.is_match(value) {
Ok(())
} else {
Err(anyhow::anyhow!("bearer token has invalid format"))
}
Ok(())
}
}

Expand Down
Loading