components-contrib icon indicating copy to clipboard operation
components-contrib copied to clipboard

Published 20 hours ago verified publisher icon dapr

Middleware loading failures allow unauthenticated/unauthorized traffic through

Open ben-kotvis opened this issue 2 years ago • 8 comments

Expected Behavior

If you have bearer middleware or OPA middleware that is supposed to potentially control access to your APIs and an error occurs loading the middleware, the service shouldn't be accessible. If there is a failure to load those middleware types, the service should always block traffic beyond where those middleware layers were designed to protect.

EDIT: I put a little more thought into this and for OPA I think the default behavior if there is a failure to load would be a 403 and for the bearer middleware a 401. Because of that I am inclined to think the middleware component should handle that on its own instead of the code that loads it.

Actual Behavior

If you use middleware such as bearer and/or OPA and either of the middleware implementations can't loaded, it just allows all traffic to any services beyond the middleware. This essentially removes security from your APIs and is very undesirable. It seems like the correct behavior should be to block all traffic so security isn't leaked unintentionally.

Steps to Reproduce the Problem

  1. Use OPA middleware to look for a specific header in a request.
  2. Have invalid Rego such as below.
  3. Add a bearer middleware as well
  4. All traffic is allowed, regardless of the presence of a bearer token

` apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: mypolicy spec: type: middleware.http.opa version: v1 metadata:
- name: includedHeaders value: "X-Origin" - name: defaultStatus value: 403 - name: rego value: | package http default allow = false allow = { "allow": true, "additional_headers" : other_headers } { jwt.payload["roles"][_] = "AccessProxy" input.request.headers["X-Origin"] }

apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: bearertoken spec: type: middleware.http.bearer version: v1 metadata:

  • name: clientId value: ""
  • name: issuerURL value: "https://login.microsoftonline.com//v2.0" `

Release Note

RELEASE NOTE:

ben-kotvis avatar Apr 04 '22 18:04 ben-kotvis

Have you configured the HTTP middleware pipeline? Such as:

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: pipeline
  namespace: default
spec:
  httpPipeline:
    handlers:
    - name: bearertoken
      type: middleware.http.bearer
    - name: mypolicy
      type: middleware.http.opa

You can get more info from https://docs.dapr.io/developing-applications/middleware/

Taction avatar Apr 09 '22 09:04 Taction

@Taction yes, that is exactly how my middleware config is setup (other than the metadata name and namespace).

ben-kotvis avatar Apr 09 '22 14:04 ben-kotvis

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar May 09 '22 14:05 dapr-bot

I am going to submit a PR for this

ben-kotvis avatar May 13 '22 23:05 ben-kotvis

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Jun 12 '22 23:06 dapr-bot

@ben-kotvis are you still planning to submit a PR?

yaron2 avatar Jun 13 '22 15:06 yaron2

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Jul 13 '22 15:07 dapr-bot

ping @ben-kotvis

yaron2 avatar Jul 13 '22 21:07 yaron2

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Aug 12 '22 21:08 dapr-bot

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Sep 12 '22 03:09 dapr-bot

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue, help wanted or triaged/resolved. Thank you for your contributions.

dapr-bot avatar Sep 19 '22 03:09 dapr-bot