[SECURITY VULN] Auth bypass vulnerability

[dustin-decker]

Posting here >90 days after notifying the author.

The auth in BreakGlass appears to only decode the JWT and use the values as-is with no validation. This means a user could provide a decodable JWT token that is not issued from Google with an email of their choosing, bypassing auth, and escalating their GCP privileges.

https://github.com/Stillerman/BreakGlass/blob/master/modules/breakglass-api/src/auth.ts

[Stillerman]

Thank you for bringing this to my attention! I will take a look at it this weekend.