Require "." boundary in can_be_signed_by#259
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes an authorization bug in beam-lib’s ID signing checks by requiring a .-delimited label boundary when allowing a proxy ID to sign on behalf of another ID (itself or its apps), preventing bare-suffix impersonation (e.g., a.broker… incorrectly matching data.broker…).
Changes:
- Replace
str::ends_withsigner checks with a boundary-awaresigner_matcheshelper. - Add a unit test demonstrating and preventing the bare-suffix impersonation case.
- Document the security fix in the changelog.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| CHANGELOG.md | Adds an “Unreleased” entry documenting the authorization/signing boundary fix. |
| beam-lib/src/ids.rs | Implements boundary-aware signer matching and adds a regression test covering the impersonation scenario. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lablans
force-pushed
the
signer-suffix-check
branch
3 times, most recently
from
9bc698d to
2fcfebe
Compare
lablans
force-pushed
the
signer-suffix-check
branch
from
2fcfebe to
5d2f7e0
Compare
Threated
left a comment
Threated
left a comment
There was a problem hiding this comment.
I feel like the security impact here is a bit overstated. can_be_signed_by is only used as a sanity check after the jwt code.
An attacker claiming to be someone else still won't work as the jwt signature verification would still fail as its verified against whichever pubkey they claim to be.
Fixed security bug in authorization logic: Check for a
.-delimited label boundary instead of a simple string suffix match, preventing potential impersonation attacks. See unit test for potential attack.