shiro icon indicating copy to clipboard operation
shiro copied to clipboard
verified publisher icon apache

[Discussion] How to systematically deal with "auth bypass" issues

Open lprimak opened this issue 1 year ago • 3 comments

Discussion

Currently, every few weeks, Shiro projects receives a security vulnerability report. All of these reports are very similar in nature, but only slightly vary.

The themes are as follows:

  • Authentication directives do not work exactly as Spring does, thus leading to confusion and perceived as auth bypass
  • Some obscure characters and URL encoding or upper/lower-case lead to perceived auth bypass and confusion

We need to figure out what to do with those reports. Currently, there isn't even an agreement whether these are or are not a true security issues.

Proposal

  • Update documentation with a big disclaimer that the Ant pattern that's used in Shiro is not the same as Spring, so it can be easily linked to when security reports come in referencing this.
  • Put the same disclaimer into security vulnerability issue template.
  • URLdecode all incoming URLs, and then disallow any non-alphanumeric characters that go into authentication matching algorighm.

Please discuss. Thank you

lprimak avatar Jan 12 '25 04:01 lprimak

Thank @lprimak for opening this discussion. Agreed with point 1 and 2 of the proposal. About the point 3, we need to be careful about the backward compatibility and to not breaking changes.

fpapon avatar Jan 13 '25 07:01 fpapon

Do we have any way to verify backwards-compatibility of any changes such as this?

How about secure-by-default and ability to disable either URLdecode or special character rejection via a flag to the filter, specified in shiro.ini? Basically a feature flag that can be disabled?

lprimak avatar Jan 13 '25 17:01 lprimak

Yes I think the feature flag can be a good option. When I am talking about backward compatibility it's about the behavior with the same ini config file for the user. Agreed with the secure-by-default, it's a good way but any default changes should be well documented and a part of a major version. Thoughts?

fpapon avatar Jan 14 '25 06:01 fpapon

It's been a while, but I think making a Library/toolkit/framework like shiro "secure-by-default" is so reasonable, that's good enough for making it a breaking change. At least in the next major version, but maybe earlier.

Maybe emit a warning for two versions: "attention, the default behaviour will change and affect you".

bmarwell avatar Oct 11 '25 20:10 bmarwell