AuthJWT: Fix JWT query param leak (CVE-2023-1387) (#825)

fix JWT query param leak Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
2025-02-25 18:55:37 -06:00 · 2023-04-03 12:49:11 +01:00
parent 6e950ca62a
commit 96fdbbee90
3 changed files with 79 additions and 4 deletions
--- a/pkg/services/authn/clients/jwt.go
+++ b/pkg/services/authn/clients/jwt.go
@@ -19,6 +19,8 @@ import (
 	"github.com/grafana/grafana/pkg/util/errutil"
 )

+const authQueryParamName = "auth_token"
+
 var _ authn.ContextAwareClient = new(JWT)

 var (
@@ -50,6 +52,7 @@ func (s *JWT) Name() string {

 func (s *JWT) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
 	jwtToken := s.retrieveToken(r.HTTPRequest)
+	s.stripSensitiveParam(r.HTTPRequest)

 	claims, err := s.jwtService.Verify(ctx, jwtToken)
 	if err != nil {
@@ -120,6 +123,18 @@ func (s *JWT) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identi
 	return id, nil
 }

+// remove sensitive query param
+// avoid JWT URL login passing auth_token in URL
+func (s *JWT) stripSensitiveParam(httpRequest *http.Request) {
+	if s.cfg.JWTAuthURLLogin {
+		params := httpRequest.URL.Query()
+		if params.Has(authQueryParamName) {
+			params.Del(authQueryParamName)
+			httpRequest.URL.RawQuery = params.Encode()
+		}
+	}
+}
+
 // retrieveToken retrieves the JWT token from the request.
 func (s *JWT) retrieveToken(httpRequest *http.Request) string {
 	jwtToken := httpRequest.Header.Get(s.cfg.JWTAuthHeaderName)