lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Small security improvements (#1412)

Browse Source 
Typos fixed

Disables empty string gateway token for sure. Test if the gateway token is not empty string ecplicitly.
Empty string is the default value and if accepted could be a security vulnerability (e.g. enabling gateway token
authentication and using empty string as token). According to https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.4
the header value shall not have trailing spaces and the http server shall already have trimmed them. So if execution passes
start with "GatewayToken " then token shall not be empty. But but let's check anyway

In UI first set key then enable the gateway token authentication. Otherwise the key might be left empty (default). This however
shall not be really problem since (because of token trimming) the empty token will be rejected anyway.

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2023-08-16 14:25:17 +03:00
committed by GitHub
parent a5dba29e74
commit acff82f60f
10 changed files with 71 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/tenantconfiguration/AuthenticationConfigurationView.java
View File

@@ -165,6 +165,11 @@ public class AuthenticationConfigurationView extends BaseConfigurationView<Proxy
@Override
public void save() {
if (getBinderBean().isGatewaySecToken()) {
writeConfigOption(TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY,
getBinderBean().getGatewaySecurityToken());
}
writeConfigOption(TenantConfigurationKey.AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED,
getBinderBean().isTargetSecToken());
writeConfigOption(TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED,
@@ -172,11 +177,6 @@ public class AuthenticationConfigurationView extends BaseConfigurationView<Proxy
writeConfigOption(TenantConfigurationKey.ANONYMOUS_DOWNLOAD_MODE_ENABLED,
getBinderBean().isDownloadAnonymous());
if (getBinderBean().isGatewaySecToken()) {
writeConfigOption(TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY,
getBinderBean().getGatewaySecurityToken());
}
writeConfigOption(TenantConfigurationKey.AUTHENTICATION_MODE_HEADER_ENABLED,
getBinderBean().isCertificateAuth());
if (getBinderBean().isCertificateAuth()) {