jwt-auth-proxy icon indicating copy to clipboard operation
jwt-auth-proxy copied to clipboard

Published 20 hours ago verified publisher icon virtualzone

Query params in URL bypasses BLACKLIST setting

Open li6in9muyou opened this issue 2 years ago • 0 comments

To reproduce

  1. set PROXY_BLACKLIST to /blacklist
  2. send a GET request to /blacklist without any authorization header
  3. now send another GET request with query params /blacklist?foo=bar without any authorization header

Expected behavior

Both request get 401.

Actual behavior

The second request does not get 401.

Possible cause

I believe the cause is in this function https://github.com/virtualzone/jwt-auth-proxy/blob/6d8bff8a751d58e54982791935efdf8aad0eaeb9/src/routes.go#L154-L228

li6in9muyou avatar Jun 03 '23 03:06 li6in9muyou