Skip to content
  • Tim Möhlmann's avatar
    4e3fd305
    fix(crypto): reject decrypted strings with non-UTF8 characters. (#8374) · 4e3fd305
    Tim Möhlmann authored
    # Which Problems Are Solved
    
    We noticed logging where 500: Internal Server errors were returned from
    the token endpoint, mostly for the `refresh_token` grant. The error was
    thrown by the database as it received non-UTF8 strings for token IDs
    
    Zitadel uses symmetric encryption for opaque tokens, including refresh
    tokens. Encrypted values are base64 encoded. It appeared to be possible
    to send garbage base64 to the token endpoint, which will pass decryption
    and string-splitting. In those cases the resulting ID is not a valid
    UTF-8 string.
    
    Invalid non-UTF8 strings are now rejected during token decryption.
    
    # How the Problems Are Solved
    
    - `AESCrypto.DecryptString()` checks if the decrypted bytes only contain
    valid UTF-8 characters before converting them into a string.
    - `AESCrypto.Decrypt()` is unmodified and still allows decryption on
    non-UTF8 byte strings.
    - `FromRefreshToken` now uses `DecryptString` instead of `Decrypt`
    
    # Additional Changes
    
    - Unit tests added for `FromRefreshToken` and
    `AESCrypto.DecryptString()`.
    - Fuzz tests added for `FromRefreshToken` and
    `AESCrypto.DecryptString()`. This was to pinpoint the problem
    - Testdata with values that resulted in invalid strings are committed.
    In the pipeline this results in the Fuzz tests to execute as regular
    unit-test cases. As we don't use the `-fuzz` flag in the pipeline no
    further fuzzing is performed.
    
    # Additional Context
    
    - Closes #7765
    - https://go.dev/doc/tutorial/fuzz
    4e3fd305
    fix(crypto): reject decrypted strings with non-UTF8 characters. (#8374)
    Tim Möhlmann authored
    # Which Problems Are Solved
    
    We noticed logging where 500: Internal Server errors were returned from
    the token endpoint, mostly for the `refresh_token` grant. The error was
    thrown by the database as it received non-UTF8 strings for token IDs
    
    Zitadel uses symmetric encryption for opaque tokens, including refresh
    tokens. Encrypted values are base64 encoded. It appeared to be possible
    to send garbage base64 to the token endpoint, which will pass decryption
    and string-splitting. In those cases the resulting ID is not a valid
    UTF-8 string.
    
    Invalid non-UTF8 strings are now rejected during token decryption.
    
    # How the Problems Are Solved
    
    - `AESCrypto.DecryptString()` checks if the decrypted bytes only contain
    valid UTF-8 characters before converting them into a string.
    - `AESCrypto.Decrypt()` is unmodified and still allows decryption on
    non-UTF8 byte strings.
    - `FromRefreshToken` now uses `DecryptString` instead of `Decrypt`
    
    # Additional Changes
    
    - Unit tests added for `FromRefreshToken` and
    `AESCrypto.DecryptString()`.
    - Fuzz tests added for `FromRefreshToken` and
    `AESCrypto.DecryptString()`. This was to pinpoint the problem
    - Testdata with values that resulted in invalid strings are committed.
    In the pipeline this results in the Fuzz tests to execute as regular
    unit-test cases. As we don't use the `-fuzz` flag in the pipeline no
    further fuzzing is performed.
    
    # Additional Context
    
    - Closes #7765
    - https://go.dev/doc/tutorial/fuzz
Loading