Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: missing handler defaults to authorize #254

Closed
afhp2018 opened this issue Sep 2, 2024 · 2 comments
Closed

Security: missing handler defaults to authorize #254

afhp2018 opened this issue Sep 2, 2024 · 2 comments
Assignees
@afhp2018
Labels
bug

Comments

@afhp2018
Copy link

afhp2018 commented Sep 2, 2024

Security plugin does not handle missing security callback correctly:

(./Plugin/OpenAPI/Security.pm:68)

  for my $security_and (@security_or) {
      for my $name (sort keys %$security_and) {
        my $security_cb = $handlers->{$name};

        if (!$security_cb) {
          $res{$name} = {message => "No security callback for $name."} unless exists $res{$name};
        }
        elsif (!exists $res{$name}) {
          $res{$name} = undef;
          $n_checks++;

          # $security_cb is obviously called synchronously, but the callback
          # might also be called synchronously. We need the $sync_mode guard
          # to make sure that we do not call continue() if that is the case.
          $c->$security_cb(
            $definitions->{$name},
            $security_and->{$name},
            sub {
              $res{$name} //= $_[1];
              $security_completed->() if --$n_checks == 0;
            }
          );
        }
      }
    }

If there is no handler defined in the code, $security_completed->() is never called and does not deny the request.

Correct would be:

   for my $security_and (@security_or) {
      for my $name (sort keys %$security_and) {
        my $security_cb = $handlers->{$name};

        if (!$security_cb) {
          $res{$name} = {message => "No security callback for $name."} unless exists $res{$name};
          $security_completed->();
        }
        elsif (!exists $res{$name}) {
          $res{$name} = undef;
          $n_checks++;

          # $security_cb is obviously called synchronously, but the callback
          # might also be called synchronously. We need the $sync_mode guard
          # to make sure that we do not call continue() if that is the case.
          $c->$security_cb(
            $definitions->{$name},
            $security_and->{$name},
            sub {
              $res{$name} //= $_[1];
              $security_completed->() if --$n_checks == 0;
            }
          );
        }
      }
    }
@jhthorsen jhthorsen added the bug label Sep 12, 2024
@jhthorsen
Copy link
Owner

jhthorsen commented Sep 12, 2024
edited
Loading

Thanks for noticing 👍 Can you open a PR with a test as well?

@jhthorsen
Copy link
Owner

jhthorsen commented Sep 12, 2024
edited
Loading

Oh, you already did 😸

Going to be closed by #255

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afhp2018 afhp2018

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhthorsen @afhp2018