Giters

authelia / authelia

The Single Sign-On Multi-Factor portal for web apps

Home Page:https://www.authelia.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Authelia Crash

ashcowey opened this issue · comments

commented

Version

v4.37.5

Deployment Method

Bare-metal

Reverse Proxy

NGINX

Reverse Proxy Version

1.18.0

Description

journalctl -xeu authelia yields

Mar 07 15:13:11 phishbox authelia[645225]: panic: runtime error: index out of range [7293] with length 7293 Mar 07 15:13:11 phishbox authelia[645225]: goroutine 141 [running]: Mar 07 15:13:11 phishbox authelia[645225]: github.com/savsgio/dictpool.(*Dict).indexOf(0xc000eeca80, {0xc000e75940, 0x20}) Mar 07 15:13:11 phishbox authelia[645225]: github.com/savsgio/dictpool@v0.0.0-20220406081701-03de5edb2e6d/dict.go:40 +0x165 Mar 07 15:13:11 phishbox authelia[645225]: github.com/savsgio/dictpool.(*Dict).Set(0xc000eeca80, {0xc000e75940, 0x20}, {0x55e3ed165500?, 0xc000d61110}) Mar 07 15:13:11 phishbox authelia[645225]: github.com/savsgio/dictpool@v0.0.0-20220406081701-03de5edb2e6d/dict.go:86 +0x3e Mar 07 15:13:11 phishbox authelia[645225]: github.com/savsgio/dictpool.(*Dict).SetBytes(...) Mar 07 15:13:11 phishbox authelia[645225]: github.com/savsgio/dictpool@v0.0.0-20220406081701-03de5edb2e6d/dict.go:101 Mar 07 15:13:11 phishbox authelia[645225]: github.com/fasthttp/session/v2/providers/memory.(*Provider).Save(0xc00041ec58, {0xc000e75940, 0x20, 0x55e3ed2da740?}, {0xc000f4a500, 0x27c, 0x27c}, 0x1a3185c50000) Mar 07 15:13:11 phishbox authelia[645225]: github.com/fasthttp/session/v2@v2.4.13/providers/memory/provider.go:58 +0x13a Mar 07 15:13:11 phishbox authelia[645225]: github.com/fasthttp/session/v2.(*Session).Save(0xc000f0a8c0, 0x55e3ec28bdcc?, 0xc00032c480) Mar 07 15:13:11 phishbox authelia[645225]: github.com/fasthttp/session/v2@v2.4.13/session.go:204 +0x117 Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/session.(*Provider).SaveSession(0xc000ef6de0, 0x23?, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0x0, ...}, ...}) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/session/provider.go:112 +0xf0 Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares.(*AutheliaCtx).SaveSession(...) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:243 Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/handlers.updateActivityTimestamp(0xc000461080, 0x0?) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/handlers/handler_verify.go:268 +0x138 Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/handlers.VerifyGET.func1(0xc000461080) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/handlers/handler_verify.go:495 +0x6da Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares.(*BridgeBuilder).Build.func1.1(0xc000806f30?) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 +0xe9 Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares.SecurityHeaders.func1(0xc000806c00) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares/headers.go:16 +0x149 Mar 07 15:13:11 phishbox authelia[645225]: github.com/fasthttp/router.(*Router).Handler(0xc0002ac150, 0xc000806c00) Mar 07 15:13:11 phishbox authelia[645225]: github.com/fasthttp/router@v1.4.14/router.go:427 +0x871 Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares.LogRequest.func1(0xc000806c00) Mar 07 15:13:11 phishbox authelia[645225]: github.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 +0xb1 Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp.(*Server).serveConn(0xc000498240, {0x55e3ed3acf10?, 0xc000014010}) Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp@v1.43.0/server.go:2338 +0x1268 Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp.(*workerPool).workerFunc(0xc000f0f860, 0xc00004c420) Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp@v1.43.0/workerpool.go:224 +0xa9 Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp.(*workerPool).getCh.func1() Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp@v1.43.0/workerpool.go:196 +0x38 Mar 07 15:13:11 phishbox authelia[645225]: created by github.com/valyala/fasthttp.(*workerPool).getCh Mar 07 15:13:11 phishbox authelia[645225]: github.com/valyala/fasthttp@v1.43.0/workerpool.go:195 +0x1b0 Mar 07 15:13:11 phishbox systemd[1]: authelia.service: Main process exited, code=exited, status=2/INVALIDARGUMENT

Reproduction

This appears to occur periodically and doesn't seem to be triggered by anything specific.

Expectations

I would expect for the code to ensure that it doesn't exceed the bounds of any given array.

Configuration (Authelia)

###############################################################
#                   Authelia configuration                    #
###############################################################

jwt_secret: <REDACTED>
#a_very_important_secret
default_redirection_url: https://auth.<DOMAIN>
theme: dark

server:
  host: 0.0.0.0
  port: 9091

log:
  level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE

totp:
  disable: false
  issuer: <DOMAIN>
  algorithm: sha256
  digits: 6
  period: 30
  skew: 1
  secret_size: 32
#  hostname: api-123456789.example.com
#  integration_key: ABCDEF
#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
#  secret_key: 1234567890abcdefghifjkl

authentication_backend:
  password_reset:
    disable: false
  file:
    path: /etc/authelia/config/users_database.yml

access_control:
  default_policy: deny
  networks:
  - name: local
    networks:
      - 'XX.XX.XXX.36'
  rules:
    # Rules applied to everyone
    - domain: auth.<DOMAIN>
      policy: two_factor
    - domain: admin.<DOMAIN>
      policy: two_factor
    - domain: console.<DOMAIN>
      policy: two_factor   
    - domain: serve.<DOMAIN>
      policy: two_factor
    - domain: code.<DOMAIN>
      policy: bypass
#      resources:
#        - '^/api([/?].*)?$'
#        - '^/derp([/?].*)?$'
#        - '^/healthz?$'
      networks:
        - 'local'
        - 'XX.XX.XXX.36'
        - '127.0.0.1'
        - '172.20.0.1/24' # docker interface for coder
#        - 'localhost'
    - domain: code.fark.ing
      policy: two_factor
session:
  name: authelia_session
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
  secret: <REDACTED>
  #unsecure_session_secret
  expiration: 28800  # 1 hour
  inactivity: 1200  # 5 minutes
  domain: <DOMAIN>  # Should match whatever your root protected domain is

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

storage:
  encryption_key: <REDACTED>
  local:
    path: /etc/authelia/config/db.sqlite3

notifier:
  disable_startup_check: false
  filesystem:
    filename: /etc/authelia/config/notification.txt
...

Build Information

Last Tag: v4.37.5
State: tagged clean
Branch: v4.37.5
Commit: 566a0d7fc71b450123ad33d350cd3890d311da82
Build Number: 17068
Build OS: linux
Build Arch: amd64
Build Date: Wed, 21 Dec 2022 19:54:54 +1100
Extra:

Logs (Authelia)

I have configured authelia to log to a file now and will post the full log upon its next crash.

I have set log level to debug.

I suspect it will yield what was extracted from journalctl but nonetheless I will upload when it becomes available.

Logs (Proxy / Application)

nginx / openresty is not failing or throwing any errors. If required I will match up the timestamps next crash and provide them also.

Documentation

My configuration is a simple setup that uses openresty / nginx to reverse proxy the service which provides MFA to other services protected by authelia. If you require specific information let me know and I will provide anything I'm able to.

It is worth nothing the authelia runs fine and all services that sit behind it operate without any bugs or unexpected behaviour.

Pre-Submission Checklist

  • I agree to follow the Code of Conduct

  • This is a bug report and not a support request

  • I have read the security policy and this bug report is not a security issue or security related issue

  • I have either included the complete configuration file or I am sure it's unrelated to the configuration

  • I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

  • I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

  • I have checked for related proxy or application logs and included them if available

  • I have checked for related issues and checked the documentation

commented

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

Based on the information provided and the error logs, it seems like Authelia is encountering a panic due to an "index out of range" error within its session handling, specifically when trying to save a session. This type of error typically occurs when the code attempts to access an element of an array or slice using an index that exceeds its bounds. The stack trace indicates that the panic originates from the github.com/savsgio/dictpool.(*Dict).indexOf function, which is part of a third-party library used by Authelia.

Given the nature of the error and the stack trace provided, this issue appears to be related to a bug within Authelia or one of its dependencies. It's not something that can be resolved through configuration changes. The best course of action would be to report this issue to the Authelia development team if it hasn't been reported already. They would be best equipped to diagnose the problem further and provide a fix in a future release.

Before reporting, it would be beneficial to check the Authelia GitHub issues page to see if this issue has already been reported or fixed in a more recent version than the one you're using (v4.37.5). If you find an existing issue that matches yours, you can follow the progress on that issue for updates. If there's no existing issue, you can create a new one, providing all the details you've shared here, including the error logs and your Authelia version.

Additionally, since this seems to be a bug, ensure you're running the latest version of Authelia, as the issue might have already been addressed in a newer release. If an update is available, consider upgrading to see if the issue persists.

Lastly, as a temporary workaround, you might want to monitor the Authelia service and automatically restart it upon failure, although this does not address the root cause of the problem. This can be done through systemd service configuration or other process monitoring tools available in your environment.

This comment was generated by Glime.

commented

Duplicate of #3751