Copilot commented on code in PR #13500:
URL: https://github.com/apache/apisix/pull/13500#discussion_r3385987186
##########
apisix/plugins/authz-casdoor.lua:
##########
@@ -162,20 +162,25 @@ function _M.access(conf, ctx)
end
local session_obj_write = session.new {
cookie_name = opts.cookie_name,
- cookie = {lifetime = lifetime}
}
session_obj_write:open()
session_obj_write:set("access_token", access_token)
session_obj_write:set("client_id", conf.client_id)
+ -- lua-resty-session 4.x no longer honors the old cookie.lifetime
option,
+ -- so bind the session to the access token's expiry explicitly and
enforce
+ -- it when the session is reused (see step 2 below).
+ session_obj_write:set("access_token_expires_at", ngx.time() + lifetime)
session_obj_write:save()
core.response.set_header("Location", original_url)
return 302
end
- -- step 2: check whether session exists
+ -- step 2: check whether a valid, unexpired session exists
+ local token_expires_at = session_obj:get("access_token_expires_at")
if not (session_present
and session_obj:get("access_token")
- and session_obj:get("client_id") == conf.client_id) then
+ and session_obj:get("client_id") == conf.client_id
+ and (not token_expires_at or token_expires_at > ngx.time())) then
Review Comment:
`token_expires_at` is fetched unconditionally via `session_obj:get(...)`
before verifying that `session_obj` is non-nil / the session is present. If
`resty.session.open(opts)` fails and returns `nil` (e.g., due to a
malformed/undecryptable cookie), this will throw a Lua runtime error (`attempt
to index local 'session_obj'`) and can turn a bad cookie into a 500/DoS. Guard
the read (and the subsequent `:get(...)` calls) behind
`session_present`/`session_obj` checks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
