Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Panics when Parsing Caddyfile #263

Open
ahpaleus opened this issue Sep 19, 2023 · 0 comments
Open

Multiple Panics when Parsing Caddyfile #263

ahpaleus opened this issue Sep 19, 2023 · 0 comments
Assignees
@greenpau
Labels
security

Comments

@ahpaleus
Copy link

ahpaleus commented Sep 19, 2023
edited
Loading

Severity: Low

Multiple parsing functions do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a Caddyfile may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.

Integrate nil checks for input values before element access across all relevant functions to address these issues.

To prevent similar issues of this type, add Golang’s native fuzz tests for Caddyfile parsing functions.

Example crashes:

func TestCrashCredentialsUsername(t *testing.T) {
	file := caddyfile.NewTestDispenser(string("0 { credentials 0 { username"))
	parseCaddyfile(file, nil)
}

func TestCrashCredentialsDomain(t *testing.T) {
	file := caddyfile.NewTestDispenser(string("0 { credentials 0 { domain"))
	parseCaddyfile(file, nil)
}

func TestCrashSSOProvider(t *testing.T) {
	file := caddyfile.NewTestDispenser(string("00 {  sso provider 0 {  entity_id"))
	parseCaddyfile(file, nil)
}

func TestCrashParseCaddyfileMessaging(t *testing.T) {
	file := caddyfile.NewTestDispenser(string("0 { messaging email provider 0 { address"))
	parseCaddyfile(file, nil)
}

Example crash log:

=== RUN   TestCrashCredentials
--- FAIL: TestCrashCredentials (0.00s)
panic: runtime error: index out of range [0] with length 0 [recovered]
	panic: runtime error: index out of range [0] with length 0

goroutine 40 [running]:
testing.tRunner.func1.2({0x2421580, 0xc000154b28})
	/usr/local/opt/go/libexec/src/testing/testing.go:1526 +0x24e
testing.tRunner.func1()
	/usr/local/opt/go/libexec/src/testing/testing.go:1529 +0x39f
panic({0x2421580, 0xc000154b28})
	/usr/local/opt/go/libexec/src/runtime/panic.go:884 +0x213
github.com/greenpau/caddy-security.parseCaddyfileCredentials(0xc000c50ae0, 0x19462d1?, 0xc00081b760)
	audit-caddy/audit-caddy-security/caddyfile_credentials.go:53 +0x534
github.com/greenpau/caddy-security.parseCaddyfile(0xc000c50ae0, {0xc000161760?, 0x1092fb7?})
	audit-caddy/audit-caddy-security/caddyfile.go:60 +0x392
github.com/greenpau/caddy-security.TestCrashCredentials(0x0?)
	audit-caddy/audit-caddy-security/caddyfile_authn_test.go:986 +0x2e
testing.tRunner(0xc000502340, 0x2ddadc0)
	/usr/local/opt/go/libexec/src/testing/testing.go:1576 +0x10b
created by testing.(*T).Run
	/usr/local/opt/go/libexec/src/testing/testing.go:1629 +0x3ea

More information about our public disclosure:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @ahpaleus