Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: corrected verification endpoint & validation logic for bombbomb #3462

Merged

Conversation

sahil9001
Copy link
Contributor

@sahil9001 sahil9001 commented Oct 17, 2024

Description:

Fixes #3461 , tests:
Screenshot 2024-10-18 at 1 36 31 AM

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@sahil9001 sahil9001 changed the title fix: corrected verification endpoint for bombbomb fix: corrected verification endpoint & validation logic for bombbomb Oct 17, 2024
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
@sahil9001 sahil9001 requested a review from a team as a code owner October 28, 2024 14:45
@@ -8,6 +8,7 @@ import (
)

const EmailPattern = `\b(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])\b`
const JWTPattern = `\b[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\b`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sahil9001 this is too loose. Take a look at this for a reference https://github.com/gitleaks/gitleaks/blob/43fae355e6fe4d99d2a7b240a224b85e2903aeb4/config/gitleaks.toml#L2311 or even

keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"formio"}) + `\b(eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[0-9A-Za-z]{220,310}\.[0-9A-Z-a-z\-_]{43}[ \r\n]{1})`)
. The first section might be consistent across all bombomb tokens.

Copy link
Contributor Author

@sahil9001 sahil9001 Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it changes with each refresh, apparently there is a jti field which changes each time which eventually changes the first part each time as well.

Screenshot 2024-10-28 at 9 04 41 PM

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sahil9001 JWT are base64 encoded so that means there will be a common prefix for all JWT, base64('{"')=ey. Take a look at https://www.ibm.com/docs/en/cics-ts/6.x?topic=cics-json-web-token-jwt.

Copy link
Contributor Author

@sahil9001 sahil9001 Oct 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zricethezav , thanks, I read more about it, I found out that —

  1. The typ part is common for all JWT tokens.
  2. alg and jti changes due to which we can only constraint the JWT common prefix upto ey.

Please take a look, I have made the change.

@sahil9001 sahil9001 requested a review from zricethezav October 28, 2024 15:37
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
pkg/common/patterns.go Outdated Show resolved Hide resolved
@kashifkhan0771 kashifkhan0771 requested a review from a team as a code owner December 16, 2024 05:38
@kashifkhan0771 kashifkhan0771 merged commit a8585cb into trufflesecurity:main Dec 16, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

Issue with incorrect verification endpoint and validation logic for Bombbomb
4 participants