fix: do not expose internal errors to the client (apache#6859)

Liu-Junlin · May 20, 2022 · 3d28f3c · 3d28f3c
1 parent a180def
commit 3d28f3c
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 23 deletions.
diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua
@@ -151,7 +151,8 @@ function _M.rewrite(conf, ctx)
 
     local username, password, err = extract_auth_header(auth_header)
     if err then
-        return 401, { message = err }
+        core.log.warn(err)
+        return 401, { message = "Invalid authorization in request" }
     end
 
     -- 2. get user info from consumer plugin

diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua
@@ -131,7 +131,8 @@ function _M.rewrite(conf, ctx)
 
     local user, err = extract_auth_header(auth_header)
     if err then
-        return 401, { message = err }
+        core.log.warn(err)
+        return 401, { message = "Invalid authorization in request" }
     end
 
     -- 2. try authenticate the user against the ldap server
@@ -146,7 +147,7 @@ function _M.rewrite(conf, ctx)
     -- 3. Retrieve consumer for authorization plugin
     local consumer_conf = consumer_mod.plugin(plugin_name)
     if not consumer_conf then
-        return 401, {message = "Missing related consumer"}
+        return 401, { message = "Missing related consumer" }
     end
     local consumers = lrucache("consumers_key", consumer_conf.conf_version,
         create_consumer_cache, consumer_conf)

diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua
@@ -23,7 +23,6 @@ local ngx_re = require("ngx.re")
 local http     = require("resty.http")
 local ipairs   = ipairs
 local ngx      = ngx
-local tostring = tostring
 local rawget   = rawget
 local rawset   = rawset
 local setmetatable = setmetatable
@@ -326,7 +325,7 @@ function _M.rewrite(conf, ctx)
         core.log.error(" check_url_permission(",
             core.json.delay_encode(perm_item),
             ") failed, res: ",core.json.delay_encode(res))
-        return 401, fail_response(res.err,
+        return 401, fail_response("Invalid user permission",
             { username = username, nickname = nickname }
         )
     end
@@ -365,7 +364,7 @@ local function get_consumer(appid)
     if not consumer then
         core.log.info("request appid [", appid, "] not found")
         core.response.exit(400,
-                fail_response("appid [" .. tostring(appid) .. "] not found")
+                fail_response("appid not found")
             )
     end
     return consumer
@@ -386,7 +385,7 @@ local function request_to_wolf_server(method, uri, headers, body)
     if not res then
         core.log.error("request [", request_debug, "] failed! err: ", err)
         return core.response.exit(500,
-            fail_response("request to wolf-server failed! " .. tostring(err))
+            fail_response("request to wolf-server failed!")
         )
     end
     core.log.info("request [", request_debug, "] status: ", res.status,
@@ -396,8 +395,7 @@ local function request_to_wolf_server(method, uri, headers, body)
         core.log.error("request [", request_debug, "] failed! status: ",
                         res.status)
         return core.response.exit(500,
-        fail_response("request to wolf-server failed! status:"
-                          .. tostring(res.status))
+        fail_response("request to wolf-server failed!")
         )
     end
     local body, err = json.decode(res.body)
@@ -408,7 +406,7 @@ local function request_to_wolf_server(method, uri, headers, body)
     if not body.ok then
         core.log.error("request [", request_debug, "] failed! response body:",
                        core.json.delay_encode(body))
-        return core.response.exit(200, fail_response(body.reason))
+        return core.response.exit(200, fail_response("request to wolf-server failed!"))
     end
 
     core.log.info("request [", request_debug, "] success! response body:",

diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t
@@ -157,7 +157,11 @@ GET /hello
 Authorization: Bad_header YmFyOmJhcgo=
 --- error_code: 401
 --- response_body
-{"message":"Invalid authorization header format"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Invalid authorization header format/
+--- grep_error_log_out
+Invalid authorization header format
 --- no_error_log
 [error]
 
@@ -170,7 +174,11 @@ GET /hello
 Authorization: Basic aca_a
 --- error_code: 401
 --- response_body
-{"message":"Failed to decode authentication header: aca_a"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Failed to decode authentication header: aca_a/
+--- grep_error_log_out
+Failed to decode authentication header: aca_a
 --- no_error_log
 [error]
 
@@ -183,7 +191,11 @@ GET /hello
 Authorization: Basic YmFy
 --- error_code: 401
 --- response_body
-{"message":"Split authorization err: invalid decoded data: bar"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Split authorization err: invalid decoded data: bar/
+--- grep_error_log_out
+Split authorization err: invalid decoded data: bar
 --- no_error_log
 [error]
 

diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t
@@ -156,7 +156,11 @@ GET /hello
 Authorization: Bad_header Zm9vOmZvbwo=
 --- error_code: 401
 --- response_body
-{"message":"Invalid authorization header format"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Invalid authorization header format/
+--- grep_error_log_out
+Invalid authorization header format
 
 
 
@@ -167,7 +171,11 @@ GET /hello
 Authorization: Basic aca_a
 --- error_code: 401
 --- response_body
-{"message":"Failed to decode authentication header: aca_a"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Failed to decode authentication header: aca_a/
+--- grep_error_log_out
+Failed to decode authentication header: aca_a
 
 
 
@@ -178,7 +186,11 @@ GET /hello
 Authorization: Basic Zm9v
 --- error_code: 401
 --- response_body
-{"message":"Split authorization err: invalid decoded data: foo"}
+{"message":"Invalid authorization in request"}
+--- grep_error_log eval
+qr/Split authorization err: invalid decoded data: foo/
+--- grep_error_log_out
+Split authorization err: invalid decoded data: foo
 
 
 

diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t
@@ -211,7 +211,7 @@ appid=not-found&username=admin&password=123456
 Content-Type: application/x-www-form-urlencoded
 --- error_code: 400
 --- response_body_like eval
-qr/appid \[not-found\] not found/
+qr/appid not found/
 --- no_error_log
 [error]
 
@@ -224,7 +224,11 @@ appid=wolf-rbac-app&password=123456
 --- more_headers
 Content-Type: application/x-www-form-urlencoded
 --- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_USERNAME_MISSING/
+--- grep_error_log_out eval
 qr/ERR_USERNAME_MISSING/
 
 
@@ -236,7 +240,11 @@ appid=wolf-rbac-app&username=admin
 --- more_headers
 Content-Type: application/x-www-form-urlencoded
 --- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_PASSWORD_MISSING/
+--- grep_error_log_out eval
 qr/ERR_PASSWORD_MISSING/
 
 
@@ -248,7 +256,11 @@ appid=wolf-rbac-app&username=not-found&password=123456
 --- more_headers
 Content-Type: application/x-www-form-urlencoded
 --- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_USER_NOT_FOUND/
+--- grep_error_log_out eval
 qr/ERR_USER_NOT_FOUND/
 
 
@@ -260,7 +272,11 @@ appid=wolf-rbac-app&username=admin&password=wrong-password
 --- more_headers
 Content-Type: application/x-www-form-urlencoded
 --- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_PASSWORD_ERROR/
+--- grep_error_log_out eval
 qr/ERR_PASSWORD_ERROR/
 
 
@@ -330,7 +346,13 @@ GET /hello1
 --- more_headers
 x-rbac-token: V1#wolf-rbac-app#wolf-rbac-token
 --- response_body
-{"message":"no permission to access"}
+{"message":"Invalid user permission"}
+--- grep_error_log eval
+qr/no permission to access */
+--- grep_error_log_out
+no permission to access
+no permission to access
+no permission to access
 
 
 
@@ -449,7 +471,11 @@ PUT /apisix/plugin/wolf-rbac/change_pwd
 Content-Type: application/json
 Cookie: x-rbac-token=V1#wolf-rbac-app#wolf-rbac-token
 --- error_code: 200
---- response_body_like eval
+--- response_body
+{"message":"request to wolf-server failed!"}
+--- grep_error_log eval
+qr/ERR_OLD_PASSWORD_INCORRECT/
+--- grep_error_log_out eval
 qr/ERR_OLD_PASSWORD_INCORRECT/