From d91c3f867d91620929ab90b64913d48d3f9c0353 Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Sat, 12 Jun 2021 11:18:19 -0700 Subject: [PATCH] Remove validation for invalid legacy v6.0.0 sessions The reflect.DeepCopy doesn't play nice with the new Lock and Clock fields in sessions. And it added unneeded session deserialization logic to every request. --- pkg/apis/sessions/session_state.go | 47 ++---------------------------- 1 file changed, 3 insertions(+), 44 deletions(-) diff --git a/pkg/apis/sessions/session_state.go b/pkg/apis/sessions/session_state.go index 9e77609e..752d8afb 100644 --- a/pkg/apis/sessions/session_state.go +++ b/pkg/apis/sessions/session_state.go @@ -3,18 +3,14 @@ package sessions import ( "bytes" "context" - "errors" "fmt" - "io" - "io/ioutil" - "reflect" - "time" - "unicode/utf8" - "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/clock" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption" "github.com/pierrec/lz4" "github.com/vmihailenco/msgpack/v4" + "io" + "io/ioutil" + "time" ) // SessionState is used to store information about the currently authenticated user session @@ -200,11 +196,6 @@ func DecodeSessionState(data []byte, c encryption.Cipher, compressed bool) (*Ses return nil, fmt.Errorf("error unmarshalling data to session state: %w", err) } - err = ss.validate() - if err != nil { - return nil, err - } - return &ss, nil } @@ -258,35 +249,3 @@ func lz4Decompress(compressed []byte) ([]byte, error) { return payload, nil } - -// validate ensures the decoded session is non-empty and contains valid data -// -// Non-empty check is needed due to ensure the non-authenticated AES-CFB -// decryption doesn't result in garbage data that collides with a valid -// MessagePack header bytes (which MessagePack will unmarshal to an empty -// default SessionState). <1% chance, but observed with random test data. -// -// UTF-8 check ensures the strings are valid and not raw bytes overloaded -// into Latin-1 encoding. The occurs when legacy unencrypted fields are -// decrypted with AES-CFB which results in random bytes. -func (s *SessionState) validate() error { - for _, field := range []string{ - s.User, - s.Email, - s.PreferredUsername, - s.AccessToken, - s.IDToken, - s.RefreshToken, - } { - if !utf8.ValidString(field) { - return errors.New("invalid non-UTF8 field in session") - } - } - - empty := new(SessionState) - if reflect.DeepEqual(*s, *empty) { - return errors.New("invalid empty session unmarshalled") - } - - return nil -}