Access token leakage when reusing the client between users

Question

Access token leakage when reusing the client between users

legigor opened this issue 5 months ago · comments

Description

Reusing the github.Client instance between different users' sessions leads to leaking the access_token between sessions.

How to reproduce

This scenario works in a hosted service environment.

Create a global client configured WithEnterpriseURLs
For client requests, create a clone using WithAuthToken(userToken)
All underlying API calls will be performed with the first used access_token, ignoring the other tokens

This test reproduces the issue

func Test_github_access_token(t *testing.T) {
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		accessToken := r.Header.Get("Authorization")
		_, _ = fmt.Fprintf(w, `{"login": "%s"}`, accessToken)
	}))
	clientPreconfiguredWithURLs, err := github.NewClient(nil).WithEnterpriseURLs(srv.URL, srv.URL)
	require.NoError(t, err)

	aliseClient := clientPreconfiguredWithURLs.WithAuthToken("alise")
	bobClient := clientPreconfiguredWithURLs.WithAuthToken("bob")

	alise, _, err := aliseClient.Users.Get(context.Background(), "")
	require.NoError(t, err)
	assert.Equal(t, "Bearer alise", alise.GetLogin())

	bob, _, err := bobClient.Users.Get(context.Background(), "")
	require.NoError(t, err)
	assert.Equal(t, "Bearer bob", bob.GetLogin())
}

and the result

Error:      	Not equal: 
            	expected: "Bearer bob"
            	actual  : "Bearer alise"

Used environment

go version go1.21.3 darwin/amd64
github.com/google/go-github/v57 v57.0.0
github.com/google/go-github/v57 v57.0.0 h1:L+Y3UPTY8ALM8x+TV0lg+IEBI+upibemtBD8Q9u7zHs=
github.com/google/go-github/v57 v57.0.0/go.mod h1:s0omdnye0hvK/ecLvpsGfJMiRt85PimQh4oygmLIxHw=

Glenn Lewis · Answer 1 · Tue Jan 09 2024 19:34:28 GMT+0800 (China Standard Time)

Have you tried the latest version after #3011?

Igor Tamashchuk · Answer 2 · Tue Jan 16 2024 13:50:25 GMT+0800 (China Standard Time)

So, I tried the new version, and the test still fails

github.com/google/go-github/v58 v58.0.0
github.com/google/go-github/v58 v58.0.0 h1:Una7GGERlF/37XfkPwpzYJe0Vp4dt2k1kCjlxwjIvzw=
github.com/google/go-github/v58 v58.0.0/go.mod h1:k4hxDKEfoWpSqFlc8LTpGd9fu2KrV1YAa6Hi6FmDNY4=

Igor Tamashchuk · Answer 3 · Tue Jan 16 2024 13:57:43 GMT+0800 (China Standard Time)

Also, I've tested it on master ref e9f5269 and test still fails with unexpected assertions

Glenn Lewis · Answer 4 · Tue Jan 16 2024 22:07:23 GMT+0800 (China Standard Time)

Thank you for the reproducible test case, @legigor !
When you get a chance, please review then LGTM+Approve #3051 if it fixes the problem you are seeing.

Igor Tamashchuk · Answer 5 · Thu Jan 18 2024 16:51:06 GMT+0800 (China Standard Time)

👍 So, I confirm that the test PASSED being runned on the branch https://github.com/gmlewis/go-github/tree/i3043-leaky-client-transport-copy

Thank you!

Glenn Lewis · Answer 6 · Thu Jan 18 2024 22:50:34 GMT+0800 (China Standard Time)

Thanks, but #3051 is blocked until I can get an LGTM+Approval from any other contributor to this repo - would you mind doing that, @legigor so I can merge it, please?

Igor Tamashchuk · Answer 7 · Wed Jan 31 2024 04:52:34 GMT+0800 (China Standard Time)

@gmlewis 👍 LGTM

I know it's too late, but I just wanted to express my appreciation :)