Copilot commented on code in PR #13471:
URL: https://github.com/apache/apisix/pull/13471#discussion_r3352912612
##########
apisix/plugins/cas-auth.lua:
##########
@@ -381,7 +381,7 @@ function _M.access(conf, ctx)
if method == "POST" and uri == cas_callback_path then
local data = core.request.get_body()
- local ticket =
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
+ local ticket = data and
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
if ticket == nil then
return ngx.HTTP_BAD_REQUEST,
{message = "invalid logout request from IdP, no ticket"}
Review Comment:
The SLO ticket extraction treats an empty
<samlp:SessionIndex></samlp:SessionIndex> as a valid (non-nil) ticket because
the `(.*)` capture can match the empty string. That means a malformed logout
request could fall through and be handled as if it had a ticket (potentially
returning 200 from upstream) instead of the intended 400 "no ticket" response.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]