[TT-16013] Gateway panics when validating JWT claims #7530
Closed
probelabs / Visor: security
failed
Nov 27, 2025 in 1m 13s
🚨 Check Failed
security check failed because fail_if condition was met.
Details
📊 Summary
- Total Issues: 3
- Error Issues: 3
🔍 Failure Condition Results
Failed Conditions
- global_fail_if: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')
- Severity: ❌ error
Issues by Category
Logic (3)
- ❌ apidef/oas/security.go:81 - The
SecuritySchemesstruct is designed to be immutable, where methods likedeletereturn a new, modified instance. The code callss.getTykSecuritySchemes().delete(...)but ignores the returned new instance. As a result, security schemes that are supposed to be omitted from the configuration are not removed. This could lead to a security misconfiguration where an auth method believed to be disabled remains active with default (and potentially insecure) settings. The same issue exists on lines 395 and 514. - ❌ apidef/oas/authentication.go:228 - The function
decodeSchemeis a stub that always returns a "not implemented" error. This function is called during JSON and YAML unmarshalling ofSecuritySchemes. Consequently, any attempt to deserialize a configuration containing security schemes will fail. This is a denial-of-service vulnerability, as it will prevent the gateway from loading valid API definitions. - ❌ system:0 - Global failure condition met: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check failure on line 81 in apidef/oas/security.go
probelabs / Visor: security
logic Issue
The `SecuritySchemes` struct is designed to be immutable, where methods like `delete` return a new, modified instance. The code calls `s.getTykSecuritySchemes().delete(...)` but ignores the returned new instance. As a result, security schemes that are supposed to be omitted from the configuration are not removed. This could lead to a security misconfiguration where an auth method believed to be disabled remains active with default (and potentially insecure) settings. The same issue exists on lines 395 and 514.
Raw output
Create a helper method on `OAS` to handle deletion from `SecuritySchemes` and reassign the result, similar to `setTykSecurityScheme`. For example:
```go
func (s *OAS) deleteTykSecurityScheme(key string) {
auth := s.getTykAuthentication()
if auth != nil {
auth.SecuritySchemes = auth.SecuritySchemes.delete(key)
}
}
```
Then call this helper where needed, e.g., `s.deleteTykSecurityScheme(authConfig.Name)`.
Check failure on line 230 in apidef/oas/authentication.go
probelabs / Visor: security
logic Issue
The function `decodeScheme` is a stub that always returns a "not implemented" error. This function is called during JSON and YAML unmarshalling of `SecuritySchemes`. Consequently, any attempt to deserialize a configuration containing security schemes will fail. This is a denial-of-service vulnerability, as it will prevent the gateway from loading valid API definitions.
Raw output
Implement the `decodeScheme` function to correctly identify the type of security scheme from the raw `interface{}` data (likely a `map[string]interface{}`) and decode it into the corresponding struct (e.g., `*Token`, `*JWT`, etc.). This will likely require inspecting fields to determine the scheme type, similar to the logic in the `importNative` function.
Loading