17acef57b4
chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks
61 lines
1.4 KiB
Plaintext
61 lines
1.4 KiB
Plaintext
== Code review
|
|
|
|
Now let's look at a code review and try to think on an attack with the `alg: none`, so we use the following token:
|
|
|
|
[source]
|
|
----
|
|
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlciI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
|
|
----
|
|
|
|
which after decoding becomes:
|
|
|
|
[source]
|
|
----
|
|
{
|
|
"alg" : "none",
|
|
"typ" : "JWT"
|
|
},
|
|
{
|
|
"admin" : true,
|
|
"iat" : 1516239022,
|
|
"sub" : "1234567890",
|
|
"user" : "John Doe"
|
|
}
|
|
----
|
|
|
|
[source%linenums, java]
|
|
----
|
|
try {
|
|
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parseClaimsJws(accessToken);
|
|
Claims claims = (Claims) jwt.getBody();
|
|
String user = (String) claims.get("user");
|
|
boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
|
|
if (isAdmin) {
|
|
removeAllUsers();
|
|
} else {
|
|
log.error("You are not an admin user");
|
|
}
|
|
} catch (JwtException e) {
|
|
throw new InvalidTokenException(e);
|
|
}
|
|
----
|
|
|
|
[source%linenums, java]
|
|
----
|
|
try {
|
|
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
|
|
Claims claims = (Claims) jwt.getBody();
|
|
String user = (String) claims.get("user");
|
|
boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
|
|
if (isAdmin) {
|
|
removeAllUsers();
|
|
} else {
|
|
log.error("You are not an admin user");
|
|
}
|
|
} catch (JwtException e) {
|
|
throw new InvalidTokenException(e);
|
|
}
|
|
----
|
|
|
|
Can you spot the weakness?
|