Fix mishandling of SASL attribute parsing (#451)

gwynne · web-flow · commit e9b90b2189b6 · 2024-01-30T15:28:08.000+01:00
diff --git a/Sources/PostgresNIO/Utilities/SASLAuthentication+SCRAM-SHA256.swift b/Sources/PostgresNIO/Utilities/SASLAuthentication+SCRAM-SHA256.swift
@@ -209,14 +209,13 @@ fileprivate struct SCRAMMessageParser {
     }
     
     static func parse(raw: [UInt8], isGS2Header: Bool = false) -> [SCRAMAttribute]? {
-        
         // There are two ways to implement this parse:
         //  1. All-at-once: Split on comma, split each on equals, validate
         //     each results in a valid attribute.
         //  2. Sequential: State machine lookahead parse.
         // The former is simpler. The latter provides better validation.
-        let likelyAttributeSets = raw.split(separator: .comma, maxSplits: isGS2Header ? 3 : Int.max, omittingEmptySubsequences: false)
-        let likelyAttributePairs = likelyAttributeSets.map { $0.split(separator: .equals, maxSplits: 2, omittingEmptySubsequences: false) }
+        let likelyAttributeSets = raw.split(separator: .comma, maxSplits: isGS2Header ? 2 : Int.max, omittingEmptySubsequences: false)
+        let likelyAttributePairs = likelyAttributeSets.map { $0.split(separator: .equals, maxSplits: 1, omittingEmptySubsequences: false) }
         
         let results = likelyAttributePairs.map { parseAttributePair(name: Array($0[0]), value: $0.dropFirst().first.map { Array($0) } ?? [], isGS2Header: isGS2Header) }
         let validResults = results.compactMap { $0 }
@@ -369,7 +368,7 @@ internal struct SHA256_PLUS: SASLAuthenticationMechanism {
 } // enum SCRAM
 } // enum SASLMechanism
 
-/// Common impplementation of SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
+/// Common implementation of SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
 fileprivate final class SASLMechanism_SCRAM_SHA256_Common {
 
     /// Initialized with initial client state
diff --git a/Tests/PostgresNIOTests/New/Connection State Machine/AuthenticationStateMachineTests.swift b/Tests/PostgresNIOTests/New/Connection State Machine/AuthenticationStateMachineTests.swift
@@ -45,6 +45,30 @@ class AuthenticationStateMachineTests: XCTestCase {
         XCTAssertEqual(state.authenticationMessageReceived(.ok), .wait)
     }
     
+    func testAuthenticateSCRAMSHA256WithAtypicalEncoding() {
+        let authContext = AuthContext(username: "test", password: "abc123", database: "test")
+        var state = ConnectionStateMachine(requireBackendKeyData: true)
+        XCTAssertEqual(state.connected(tls: .disable), .provideAuthenticationContext)
+        XCTAssertEqual(state.provideAuthenticationContext(authContext), .sendStartupMessage(authContext))
+        
+        let saslResponse = state.authenticationMessageReceived(.sasl(names: ["SCRAM-SHA-256"]))
+        guard case .sendSaslInitialResponse(name: let name, initialResponse: let responseData) = saslResponse else {
+            return XCTFail("\(saslResponse) is not .sendSaslInitialResponse")
+        }
+        let responseString = String(decoding: responseData, as: UTF8.self)
+        XCTAssertEqual(name, "SCRAM-SHA-256")
+        XCTAssert(responseString.starts(with: "n,,n=test,r="))
+        
+        let saslContinueResponse = state.authenticationMessageReceived(.saslContinue(data: .init(bytes:
+            "r=\(responseString.dropFirst(12))RUJSZHhkeUVFNzRLNERKMkxmU05ITU1NZWcxaQ==,s=ijgUVaWgCDLRJyF963BKNA==,i=4096".utf8
+        )))
+        guard case .sendSaslResponse(let responseData2) = saslContinueResponse else {
+            return XCTFail("\(saslContinueResponse) is not .sendSaslResponse")
+        }
+        let response2String = String(decoding: responseData2, as: UTF8.self)
+        XCTAssertEqual(response2String.prefix(76), "c=biws,r=\(responseString.dropFirst(12))RUJSZHhkeUVFNzRLNERKMkxmU05ITU1NZWcxaQ==,p=")
+    }
+    
     func testAuthenticationFailure() {
         let authContext = AuthContext(username: "test", password: "abc123", database: "test")
         var state = ConnectionStateMachine(requireBackendKeyData: true)
