Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugs in Authorization: Bearer … header parsing #112

Open
roy-work opened this issue Jun 22, 2022 · 1 comment
Open

Bugs in Authorization: Bearer … header parsing #112

roy-work opened this issue Jun 22, 2022 · 1 comment

Comments

@roy-work
Copy link

roy-work commented Jun 22, 2022
edited
Loading

The following test exposes a few issues in headers::authorization::Bearer:

#[cfg(test)]
mod tests {
  #[test]
  fn test_invalid_auth_header() {
    // Malformed, should not parse.
    let value = http::HeaderValue::from_str("Bearer    foo, Bearer bar").unwrap();
    use headers::authorization::Credentials;
    let decoded = headers::authorization::Bearer::decode(&value);
    println!("decoded = {:?}", decoded);
    println!("if decoded succeeded, the token was: {:?}", decoded.as_ref().map(|b| b.token()));
    // The header is malformed, so parsing should fail:
    assert!(decoded.is_none());
  }
}

Basically, Bearer's implementation will strip the leading string "Bearer " from the value, and return the remainder for as a token. This isn't valid according to the grammar for the Bearer authn scheme. (The grammar of the token itself is restricted to a certain set of characters, for example.) In fact, the code only checks that the header starts with Bearer in debug mode (as it is done w/ a debug_assert!), so in a release build, any value will parse, including, e.g., Basic <a basic headers' credentials>.

Even where the header is valid, and should parse, the .token() determines the token by simply removing "Bearer ".len() characters from the front of the header value, which itself is not correct: Bearer foobar (n.b., the double space; this is permitted by the grammar for the header, but is not part of the token) parses as it should, but .token() returns " foobar".

Last, the debug-mode-only debug_assert! asserts that the value starts with Bearer — but auth schemes in HTTP are case insensitive, so this too will reject valid inputs. (Note: the Basic auth-scheme parser shares its own version of this issue, too.)
@roy-work roy-work changed the title Bugs in Authorization: Bearer header parsing Bugs in Authorization: Bearer … header parsing Jun 22, 2022
@sbihel sbihel mentioned this issue Jun 22, 2023
Closed
@cole-h cole-h mentioned this issue Nov 19, 2023
Merged
@teohhanhui
Copy link

teohhanhui commented Dec 5, 2024
edited
Loading

Also, debug_assert! shouldn't be used for validation in the first place. ("Parse, don't validate.")

A client sending an invalid Authorization header value in dev mode shouldn't cause your web server to panic...

So something like this should work:

authorization_header_value.split_at_checked(7).and_then(|(scheme, token)| {
    if scheme.eq_ignore_ascii_case("Bearer ") {
        Some(token.trim_start_matches(' '))
    } else {
        None
    }
})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@teohhanhui @roy-work