Fix critical issues from follow-up security audit

A second-pass audit surfaced three severe issues missed by the previous review, each a sibling code path of a bug class that was only partially fixed before: - auth: JWT session login (jwtSession.go) registered its authenticator even when CROSS_LOGIN_JWT_HS512_KEY was unset, leaving an empty HMAC key. golang-jwt verifies any HS256/HS512 signature against an empty key, allowing unauthenticated admin token forgery. Init() now refuses to register without a key, with a defense-in-depth empty-key guard in the keyfunc. - repository: metric names from GraphQL ([String!]) were interpolated raw into json_extract(footprint, "$.<name>") SQL. SQLite parses double-quoted strings as literals, enabling SQL injection by any authenticated user. Validate metric names against ^[a-zA-Z0-9_]+$ in jobsMetricStatisticsHistogram and buildFloatJSONCondition. - metricstore: cluster/host line-protocol tags flowed unvalidated into path.Join(RootDir, cluster, host) for checkpoint/WAL files, allowing arbitrary file write outside the checkpoint root via NATS (unauthenticated) or POST /api/write. Reject path-traversal sequences in DecodeLine before the tags become path components. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Entire-Checkpoint: b57246993ec1
2026-06-06 11:47:29 +02:00 · 2026-06-04 19:07:20 +02:00
parent 6f7e262f3f
commit 6d86690c76
4 changed files with 58 additions and 7 deletions
--- a/internal/auth/jwtSession.go
+++ b/internal/auth/jwtSession.go
@@ -25,15 +25,21 @@ type JWTSessionAuthenticator struct {
 var _ Authenticator = (*JWTSessionAuthenticator)(nil)

 func (ja *JWTSessionAuthenticator) Init() error {
-	if pubKey := os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
-		bytes, err := base64.StdEncoding.DecodeString(pubKey)
-		if err != nil {
-			cclog.Warn("Could not decode cross login JWT HS512 key")
-			return err
-		}
-		ja.loginTokenKey = bytes
+	pubKey := os.Getenv("CROSS_LOGIN_JWT_HS512_KEY")
+	if pubKey == "" {
+		// Without a configured key the HMAC verification below would run against
+		// an empty key, which lets anyone forge a valid token. Refuse to register
+		// the authenticator in that case so JWT session login is simply disabled.
+		return errors.New("CROSS_LOGIN_JWT_HS512_KEY not set: JWT session login disabled")
 	}

+	bytes, err := base64.StdEncoding.DecodeString(pubKey)
+	if err != nil {
+		cclog.Warn("Could not decode cross login JWT HS512 key")
+		return err
+	}
+	ja.loginTokenKey = bytes
+
 	cclog.Info("JWT Session authenticator successfully registered")
 	return nil
 }
@@ -60,6 +66,12 @@ func (ja *JWTSessionAuthenticator) Login(

 	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (any, error) {
 		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
+			// Defense in depth: an empty key would verify any HMAC signature.
+			// Init() already refuses to register without a key, so this should
+			// never trigger, but guard explicitly rather than trust the chain.
+			if len(ja.loginTokenKey) == 0 {
+				return nil, errors.New("HS login key not configured")
+			}
 			return ja.loginTokenKey, nil
 		}
 		return nil, fmt.Errorf("unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())