dongmin cha created ZEPPELIN-6266:
-------------------------------------
Summary: JWTs with no expiration time are incorrectly validated.
Key: ZEPPELIN-6266
URL: https://issues.apache.org/jira/browse/ZEPPELIN-6266
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.12.0
Reporter: dongmin cha
Assignee: dongmin cha
The {{KnoxJwtRealm.validateExpiration()}} method incorrectly accepts JWTs that
have no {{exp}} (expiration time) claim. This is a significant security
vulnerability, as a token without an expiration can be used indefinitely to
maintain access.
*Current Behavior:*
* A JWT with a {{null}} expiration time is treated as valid.
* This allows for tokens that never expire.
*Expected Behavior:*
* JWTs *must* contain an expiration time to be considered valid.
* Tokens without an expiration time must be rejected.
* A security warning should be logged when a token is rejected for this reason.
*Root Cause:* The vulnerability is in {{KnoxJwtRealm.java}} on line 195. The
condition {{if (expires == null || new Date().before(expires))}} incorrectly
allows a {{null}} expiration to pass validation.
*Proposed Solution:*
# Explicitly check if the expiration time is {{{}null{}}}.
# If it is {{{}null{}}}, log a security warning and immediately return
{{{}false{}}}.
# Only validate the expiration date if it is not {{{}null{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
