admin console: log when JWTAuth::verify() doesn't have enough tokens

This is no longer a huge problem, but it's still a good idea to return early in that case. Found with the recently added admin_fuzzer, when I locally disabled the StringVector safety checks for test purposes. (If you view the diff with -U30, then you see that we access tokens[2] later, so if size is < 3, we should give up.) Change-Id: I46fc531fb042cc1485a17a9e994ad37e9ff0cd80 Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91587 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com> Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-02 17:30:14 +02:00 · 2020-04-02 17:30:14 +02:00 · fc88a872c2
parent 4bdd0497ed
commit fc88a872c2
3 changed files with 7 additions and 0 deletions
--- a/fuzzer/admin-data/crash-4e217e0c18bc938cbe7b4c7eeec25208c09b0f56
+++ b/fuzzer/admin-data/crash-4e217e0c18bc938cbe7b4c7eeec25208c09b0f56
--- a/fuzzer/admin-data/crash-ba9e8295835983c8b0b3f92ec5ef65cc76e78f12
+++ b/fuzzer/admin-data/crash-ba9e8295835983c8b0b3f92ec5ef65cc76e78f12
@ -0,0 +1 @@
+auth jwt=eyJakilliwiZXhwIjoiMTU4NTU3O3hbGciOiJUzI1NiIsInR5MJ0.DM1NeyJpc3MiOiJiJ9
--- a/wsd/Auth.cpp
+++ b/wsd/Auth.cpp
@ -105,6 +105,12 @@ bool JWTAuth::verify(const std::string& accessToken)

    try
    {
+        if (tokens.size() < 3)
+        {
+            LOG_INF("JWTAuth: verification failed; Not enough tokens");
+            return false;
+        }
+
        const std::string encodedBody = tokens[0] + '.' + tokens[1];
        _digestEngine.update(encodedBody.c_str(), static_cast<unsigned>(encodedBody.length()));
        Poco::Crypto::DigestEngine::Digest digest = _digestEngine.signature();
				`@ -0,0 +1 @@`
				`auth jwt=eyJakilliwiZXhwIjoiMTU4NTU3O3hbGciOiJUzI1NiIsInR5MJ0.DM1NeyJpc3MiOiJiJ9`