default jwt secret key can forge any user identity, such as gaining administrator privileges (默认 jwt 密钥可以伪造任意用户身份，例如获取管理员权限) #703

Rvn0xsy · 2022-09-22T02:39:49Z

Lines 24 to 39 in c5fafe2

    
           func jwtInit(timeout int) { 
        
           	authMiddleware, err = jwt.New(&jwt.GinJWTMiddleware{ 
        
           		Realm:       "k8s-manager", 
        
           		Key:         []byte("secret key"), 
        
           		Timeout:     time.Minute * time.Duration(timeout), 
        
           		MaxRefresh:  time.Minute * time.Duration(timeout), 
        
           		IdentityKey: identityKey, 
        
           		SendCookie:  true, 
        
           		PayloadFunc: func(data interface{}) jwt.MapClaims { 
        
           			if v, ok := data.(*Login); ok { 
        
           				return jwt.MapClaims{ 
        
           					identityKey: v.Username, 
        
           				} 
        
           			} 
        
           			return jwt.MapClaims{} 
        
           		},

代码中硬编码了secret key，可以伪造任意用户身份，包括管理员。

The key is hardcoded in the code, using jwt.io can forge any user identity, including administrators

Jrohy closed this as completed in e64931b Mar 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

default jwt secret key can forge any user identity, such as gaining administrator privileges (默认 jwt 密钥可以伪造任意用户身份，例如获取管理员权限) #703

default jwt secret key can forge any user identity, such as gaining administrator privileges (默认 jwt 密钥可以伪造任意用户身份，例如获取管理员权限) #703

Rvn0xsy commented Sep 22, 2022

default jwt secret key can forge any user identity, such as gaining administrator privileges (默认 jwt 密钥可以伪造任意用户身份，例如获取管理员权限) #703

default jwt secret key can forge any user identity, such as gaining administrator privileges (默认 jwt 密钥可以伪造任意用户身份，例如获取管理员权限) #703

Comments

Rvn0xsy commented Sep 22, 2022