[ISSUE #4593] Add server identity to replace user-agent white list. #4683
+124
−25
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KomachiSion
added
the
kind/enhancement
KomachiSion
changed the title
KeRan213539
approved these changes
Jan 13, 2021
| } else if (StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils | ||
| .isNotBlank(authConfigs.getServerIdentityValue())) { | ||
| String serverIdentity = req.getHeader(authConfigs.getServerIdentityKey()); | ||
| if (authConfigs.getServerIdentityValue().equals(serverIdentity)) { |
There was a problem hiding this comment.
Please note that comparing credential with equals makes your application vulnerable to timing attack
There was a problem hiding this comment.
How to solve it? Can you provide some advise for this?
There was a problem hiding this comment.
There was a problem hiding this comment.
In my opinion, there is enough for equals. reason follow:
- Nacos is Internal IDC application, we recommend users use Nacos with internal network not public network, If hacker want to timing attack, the network has been controlled by hacker. And Cost much time to analyze package between nacos server.
- The key and value is defined by configuration file, as the first item said, if the internal network is in controlled by hacker. they can find the key and value by configuration file directly.
I'm not sure whether the timing attack is send a long string to hold equals resource. If so, I think we has no ability to solve all public application security problem for an internal network application.
There was a problem hiding this comment.
@KomachiSion FYI maybe you should use MessageDigest.isEquals
wjm0729
added a commit
to wjm0729/nacos
that referenced
this pull request
Jan 21, 2021
* 'develop' of https://github.com/alibaba/nacos: For checkstyle fix: fix Jraft WriteRequest type problem. Add server identity to replace user-agent white list. (alibaba#4683)
wjm0729
added a commit
to wjm0729/nacos
that referenced
this pull request
Jan 21, 2021
…op-import-v1 * 'develop' of https://github.com/alibaba/nacos: Use SafeConstructor to parse yaml configuration for AbstractConfigChangeListener (alibaba#4753) [ISSUE alibaba#3922] method createServiceIfAbsent in ServiceManager require sync (alibaba#4713) fix cloning configuration last desc (alibaba#4697) [ISSUE alibaba#4661]configServletInner#doGetConfig code optimization (alibaba#4666) Use revision to set version and upgrade to 1.4.2-SNAPSHOT (alibaba#4711) Revert interceptor all ui problem Fix alibaba#4701 (alibaba#4703) delete comment. fix metadata batch operation may delete instance problem. Upgrade to 1.4.1 (alibaba#4695) fix alibaba#4686 (alibaba#4692) Build nacos console front for 1.4.1 (alibaba#4690) For checkstyle fix: fix Jraft WriteRequest type problem. Add server identity to replace user-agent white list. (alibaba#4683)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please do not create a Pull Request without creating an issue first.
What is the purpose of the change
For #4593 , Add server identity to replace user-agent white list.
Templately Fix security problem. User can shutdown user-agent white list and defined their own identity key and value for request between servers.
Brief changelog
Verifying this change
XXXX
Follow this checklist to help us incorporate your contribution quickly and easily:
[ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=trueto make sure basic checks pass. Runmvn clean install -DskipITsto make sure unit-test pass. Runmvn clean test-compile failsafe:integration-testto make sure integration-test pass.