Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

客户端配置的AppId大小写与服务端不一致时可越过accessKey检查而直接获取到配置 #3626

Closed
3 tasks done
supershania opened this issue Apr 3, 2021 · 1 comment · Fixed by #3627
Closed
3 tasks done

客户端配置的AppId大小写与服务端不一致时可越过accessKey检查而直接获取到配置 #3626

supershania opened this issue Apr 3, 2021 · 1 comment · Fixed by #3627
Labels
area/client apollo-client area/configservice apollo-configservice bug Categorizes issue or PR as related to a bug.

Comments

@supershania
Copy link

supershania commented Apr 3, 2021
edited
Loading

描述bug

由于config service大小写不敏感,而导致客户端配置的AppId大小写与服务端不一致时可越过accessKey检查而直接获取到配置;
或直接通过postman等工具获取到配置文件;

复现

通过如下步骤可以复现:

  1. apollo开启访问秘钥
  2. 客户端配置 -Dapp.id={此处与portal配置的大小写不一致}
  3. 客户端不配置 accessKey
  4. 启动应用可以成功获取到配置(或使用postman直接请求)

期望

返回401而不是配置

截图

2
6
1
3
4
5

额外的细节和日志

  • 版本:服务端1.8.1;客户端1.8.0
@nobodyiam nobodyiam mentioned this issue Apr 3, 2021
Merged
4 tasks
@Anilople Anilople added area/client apollo-client area/configservice apollo-configservice bug Categorizes issue or PR as related to a bug. kind/report-problem Categorizes issue when someone report the problem he/she meeted and removed kind/report-problem Categorizes issue when someone report the problem he/she meeted labels Apr 6, 2021
@studyzhanglei
Copy link

描述bug

由于config service大小写不敏感,而导致客户端配置的AppId大小写与服务端不一致时可越过accessKey检查而直接获取到配置;
或直接通过postman等工具获取到配置文件;

复现

通过如下步骤可以复现:

  1. apollo开启访问秘钥
  2. 客户端配置 -Dapp.id={此处与portal配置的大小写不一致}
  3. 客户端不配置 accessKey
  4. 启动应用可以成功获取到配置(或使用postman直接请求)

期望

返回401而不是配置

截图

2
6
1
3
4
5

额外的细节和日志

  • 版本:服务端1.8.1;客户端1.8.0

哥们,你这个issue提的真有水平,给你点个赞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/client apollo-client area/configservice apollo-configservice bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix the issue that access key doesn't work if appid passed is in different case nobodyiam/apollo
3 participants
@Anilople @supershania @studyzhanglei