fix possible SSRF via unverified JWT claims

Author: FZambia

internal/apiproto/api.pb.go

@@ -19,6 +19,9 @@ func logStartWarnings(cfg config.Config, cfgMeta config.Meta) {
 	if cfg.Admin.Insecure {
 		log.Warn().Msg("INSECURE admin mode enabled, make sure you understand risks")
 	}
+	if cfg.Client.InsecureSkipTokenSignatureVerify {
+		log.Warn().Msg("INSECURE skip token signature verify enabled, make sure you understand risks")
+	}
 	if cfg.Debug.Enabled {
 		log.Warn().Msg("DEBUG mode enabled, see on " + cfg.Debug.HandlerPrefix)
 	}

internal/apiproto/api_grpc.pb.go

@@ -2750,6 +2750,16 @@
             "default": "",
             "comment": "",
             "is_complex_type": false
+          },
+          {
+            "field": "client.token.insecure_skip_jwks_endpoint_safety_check",
+            "name": "insecure_skip_jwks_endpoint_safety_check",
+            "go_name": "InsecureSkipJWKSEndpointSafetyCheck",
+            "level": 3,
+            "type": "bool",
+            "default": "",
+            "comment": "",
+            "is_complex_type": false
           }
         ]
       },
@@ -2882,6 +2892,16 @@
             "default": "",
             "comment": "",
             "is_complex_type": false
+          },
+          {
+            "field": "client.subscription_token.insecure_skip_jwks_endpoint_safety_check",
+            "name": "insecure_skip_jwks_endpoint_safety_check",
+            "go_name": "InsecureSkipJWKSEndpointSafetyCheck",
+            "level": 3,
+            "type": "bool",
+            "default": "",
+            "comment": "",
+            "is_complex_type": false
           }
         ]
       },

internal/app/log.go

@@ -38,6 +38,7 @@ func MakeVerifierConfig(tokenConf configtypes.Token) (jwtverify.VerifierConfig,
 	cfg.AudienceRegex = tokenConf.AudienceRegex
 	cfg.Issuer = tokenConf.Issuer
 	cfg.IssuerRegex = tokenConf.IssuerRegex
+	cfg.InsecureSkipJWKSEndpointSafetyCheck = tokenConf.InsecureSkipJWKSEndpointSafetyCheck
 
 	if tokenConf.UserIDClaim != "" {
 		cfg.UserIDClaim = tokenConf.UserIDClaim

internal/cli/configdoc/schema.json

@@ -61,7 +61,8 @@ type Token struct {
 	AudienceRegex      string `mapstructure:"audience_regex" json:"audience_regex" envconfig:"audience_regex" yaml:"audience_regex" toml:"audience_regex"`
 	Issuer             string `mapstructure:"issuer" json:"issuer" envconfig:"issuer" yaml:"issuer" toml:"issuer"`
 	IssuerRegex        string `mapstructure:"issuer_regex" json:"issuer_regex" envconfig:"issuer_regex" yaml:"issuer_regex" toml:"issuer_regex"`
-	UserIDClaim        string `mapstructure:"user_id_claim" json:"user_id_claim" envconfig:"user_id_claim" yaml:"user_id_claim" toml:"user_id_claim"`
+	UserIDClaim                         string `mapstructure:"user_id_claim" json:"user_id_claim" envconfig:"user_id_claim" yaml:"user_id_claim" toml:"user_id_claim"`
+	InsecureSkipJWKSEndpointSafetyCheck bool   `mapstructure:"insecure_skip_jwks_endpoint_safety_check" json:"insecure_skip_jwks_endpoint_safety_check" envconfig:"insecure_skip_jwks_endpoint_safety_check" yaml:"insecure_skip_jwks_endpoint_safety_check" toml:"insecure_skip_jwks_endpoint_safety_check"`
 }
 
 // SubscriptionToken can be used to set custom configuration for subscription tokens.

internal/confighelpers/jwt.go

@@ -8,9 +8,11 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"path"
 	"time"
 
 	"github.com/rakutentech/jwk-go/jwk"
+	"github.com/rs/zerolog/log"
 	"github.com/valyala/fasttemplate"
 	"golang.org/x/sync/singleflight"
 )
@@ -130,6 +132,20 @@ func (m *Manager) loadData(req *http.Request) ([]byte, error) {
 
 func (m *Manager) fetchKey(ctx context.Context, kid string, tokenVars map[string]any) (*JWK, error) {
 	jwkURL := m.url.ExecuteString(tokenVars)
+
+	// Reject requests where template substitution produced a URL with path traversal.
+	u, err := url.Parse(jwkURL)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing JWKS URL: %w", err)
+	}
+	if u.Path != "" {
+		if cleanPath := path.Clean(u.Path); cleanPath != u.Path {
+			log.Info().Str("path", u.Path).Str("clean_path", cleanPath).
+				Msg("JWKS URL path contains traversal sequences, request rejected")
+			return nil, fmt.Errorf("JWKS URL path contains traversal sequences: %q", u.Path)
+		}
+	}
+
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, jwkURL, nil)
 	if err != nil {
 		return nil, err

internal/configtypes/types.go

@@ -143,6 +143,45 @@ func TestManagerInitialFetchKey(t *testing.T) {
 	}
 }
 
+func TestManagerFetchKey_PathTraversalRejected(t *testing.T) {
+	kid := "test-kid"
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("request should have been rejected before reaching the server")
+	}))
+	defer ts.Close()
+
+	manager, err := NewManager(ts.URL + "/tenants/{{tenant}}/jwks.json")
+	require.NoError(t, err)
+
+	// Path traversal via ".." — must be rejected.
+	tokenVars := map[string]any{"tenant": "../../etc"}
+	_, err = manager.FetchKey(context.Background(), kid, tokenVars)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "traversal")
+
+	// Single ".." segment — also rejected.
+	tokenVars = map[string]any{"tenant": ".."}
+	_, err = manager.FetchKey(context.Background(), kid, tokenVars)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "traversal")
+
+	// Clean value — must succeed (uses real server).
+	_, pubKey, err := randomKeys()
+	require.NoError(t, err)
+
+	ts2 := httptest.NewServer(jwksHandler(testKey{kid, pubKey}))
+	defer ts2.Close()
+
+	manager, err = NewManager(ts2.URL + "/tenants/{{tenant}}/jwks.json")
+	require.NoError(t, err)
+
+	tokenVars = map[string]any{"tenant": "acme"}
+	key, err := manager.FetchKey(context.Background(), kid, tokenVars)
+	require.NoError(t, err)
+	require.Equal(t, kid, key.Kid)
+}
+
 func TestManagerCachedFetchKey(t *testing.T) {
 	testCases := []struct {
 		Name         string

internal/jwks/manager.go

@@ -71,6 +71,12 @@ type VerifierConfig struct {
 	// UserIDClaim allows overriding default claim used to extract user ID from token.
 	// By default, Centrifugo uses "sub" and we recommend keeping the default if possible.
 	UserIDClaim string
+
+	// InsecureSkipJWKSEndpointSafetyCheck disables the config-time safety validation of
+	// JWKS endpoint URL templates. This is INSECURE and exists only as a temporary escape
+	// hatch for users upgrading with existing permissive regex patterns. This option will
+	// be removed in a future release.
+	InsecureSkipJWKSEndpointSafetyCheck bool
 }
 
 func (c VerifierConfig) Validate() error {
@@ -80,6 +86,15 @@ func (c VerifierConfig) Validate() error {
 	if c.Issuer != "" && c.IssuerRegex != "" {
 		return errors.New("can not use both token_issuer and token_issuer_regex, configure only one of them")
 	}
+	if c.JWKSPublicEndpoint != "" {
+		if err := validateJWKSEndpointSafety(c.JWKSPublicEndpoint, c.IssuerRegex, c.AudienceRegex); err != nil {
+			if c.InsecureSkipJWKSEndpointSafetyCheck {
+				log.Warn().Err(err).Msg("JWKS endpoint template safety check skipped — this is INSECURE and the escape hatch will be removed in a future release, please update your regex to use an explicit list of allowed values")
+			} else {
+				return err
+			}
+		}
+	}
 	return nil
 }
 
@@ -456,19 +471,15 @@ func (verifier *VerifierJWT) verifySignatureByJWK(token *jwt.Token, tokenVars ma
 	return verifier.jwksManager.verify(token, tokenVars)
 }
 
-func (verifier *VerifierJWT) validateClaims(claims jwt.RegisteredClaims, tokenVars map[string]any) error {
-	if verifier.audience != "" && !claims.IsForAudience(verifier.audience) {
-		return fmt.Errorf("%w: invalid audience", ErrInvalidToken)
-	}
-
-	if verifier.issuer != "" && !claims.IsIssuer(verifier.issuer) {
-		return fmt.Errorf("%w: invalid issuer", ErrInvalidToken)
-	}
-
+// extractTokenVars extracts named group matches from issuer/audience regex into tokenVars.
+// This must be called before signature verification because the extracted values may be
+// needed to construct the JWKS endpoint URL. Returns an error if regex is configured but
+// the claim doesn't match.
+func (verifier *VerifierJWT) extractTokenVars(claims jwt.RegisteredClaims, tokenVars map[string]any) error {
 	if verifier.issuerRe != nil {
 		match := verifier.issuerRe.FindStringSubmatch(claims.Issuer)
 		if len(match) == 0 {
-			return fmt.Errorf("%w: issuer not matched", ErrInvalidToken)
+			return errors.New("issuer not matched")
 		}
 		for i, name := range verifier.issuerRe.SubexpNames() {
 			if i != 0 && name != "" {
@@ -493,13 +504,27 @@ func (verifier *VerifierJWT) validateClaims(claims jwt.RegisteredClaims, tokenVa
 			break
 		}
 		if !matched {
-			return fmt.Errorf("%w: audience not matched", ErrInvalidToken)
+			return errors.New("audience not matched")
 		}
 	}
 
 	return nil
 }
 
+// validateClaims checks issuer and audience claims against configured values.
+// Must be called after signature verification.
+func (verifier *VerifierJWT) validateClaims(claims jwt.RegisteredClaims) error {
+	if verifier.audience != "" && !claims.IsForAudience(verifier.audience) {
+		return errors.New("invalid audience")
+	}
+
+	if verifier.issuer != "" && !claims.IsIssuer(verifier.issuer) {
+		return errors.New("invalid issuer")
+	}
+
+	return nil
+}
+
 func (verifier *VerifierJWT) VerifyConnectToken(t string, skipVerify bool) (ConnectToken, error) {
 	token, err := jwt.ParseNoVerify([]byte(t)) // Will be verified later.
 	if err != nil {
@@ -513,8 +538,9 @@ func (verifier *VerifierJWT) VerifyConnectToken(t string, skipVerify bool) (Conn
 
 	tokenVars := map[string]any{}
 
-	if err := verifier.validateClaims(claims.RegisteredClaims, tokenVars); err != nil {
-		return ConnectToken{}, err
+	// Extract token vars before signature verification — needed to construct JWKS URL.
+	if err = verifier.extractTokenVars(claims.RegisteredClaims, tokenVars); err != nil {
+		return ConnectToken{}, fmt.Errorf("%w: %v", ErrInvalidToken, err)
 	}
 
 	if !skipVerify {
@@ -528,6 +554,11 @@ func (verifier *VerifierJWT) VerifyConnectToken(t string, skipVerify bool) (Conn
 		}
 	}
 
+	// Validate claims after signature verification.
+	if err = verifier.validateClaims(claims.RegisteredClaims); err != nil {
+		return ConnectToken{}, fmt.Errorf("%w: %v", ErrInvalidToken, err)
+	}
+
 	if claims.Channel != "" {
 		return ConnectToken{}, fmt.Errorf(
 			"%w: connection JWT can not contain channel claim, only subscription JWT can", ErrInvalidToken)
@@ -679,8 +710,9 @@ func (verifier *VerifierJWT) VerifySubscribeToken(t string, skipVerify bool) (Su
 
 	tokenVars := map[string]any{}
 
-	if err := verifier.validateClaims(claims.RegisteredClaims, tokenVars); err != nil {
-		return SubscribeToken{}, err
+	// Extract token vars before signature verification — needed to construct JWKS URL.
+	if err = verifier.extractTokenVars(claims.RegisteredClaims, tokenVars); err != nil {
+		return SubscribeToken{}, fmt.Errorf("%w: %v", ErrInvalidToken, err)
 	}
 
 	if !skipVerify {
@@ -694,6 +726,11 @@ func (verifier *VerifierJWT) VerifySubscribeToken(t string, skipVerify bool) (Su
 		}
 	}
 
+	// Validate claims after signature verification.
+	if err = verifier.validateClaims(claims.RegisteredClaims); err != nil {
+		return SubscribeToken{}, fmt.Errorf("%w: %v", ErrInvalidToken, err)
+	}
+
 	now := time.Now()
 	if !claims.IsValidExpiresAt(now) || !claims.IsValidNotBefore(now) {
 		return SubscribeToken{}, ErrTokenExpired