Fixed API token authentication bypassed when path contains `/healthz`
The APITokenAuthMiddleware allowed bypassing the check if the path included `/healthz`. An attacker only needed to include `/healthz` in the URL, even the querystring, to bypass the API token check, for example `/v1.0/invoke/myapp/method/something?foo=/healthz`.
Additionally, this was not checking the method of the request, so requests to `POST /healthz` would cause a service invocation to happen.
This fixes the issue by making the check a lot more strict. The API token check can be bypassed only if:
- The path is exactly `/v1.0/healthz` or `/v1.0/healthz/outbound` (slashes are trimmed on each side)
- The method is `GET`
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Showing
想要评论请 注册 或 登录