Copilot commented on code in PR #13471:
URL: https://github.com/apache/apisix/pull/13471#discussion_r3352912612


##########
apisix/plugins/cas-auth.lua:
##########
@@ -381,7 +381,7 @@ function _M.access(conf, ctx)
 
     if method == "POST" and uri == cas_callback_path then
         local data = core.request.get_body()
-        local ticket = 
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
+        local ticket = data and 
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
         if ticket == nil then
             return ngx.HTTP_BAD_REQUEST,
                 {message = "invalid logout request from IdP, no ticket"}

Review Comment:
   The SLO ticket extraction treats an empty 
<samlp:SessionIndex></samlp:SessionIndex> as a valid (non-nil) ticket because 
the `(.*)` capture can match the empty string. That means a malformed logout 
request could fall through and be handled as if it had a ticket (potentially 
returning 200 from upstream) instead of the intended 400 "no ticket" response.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to