fix: verify token length (#627)

2025-09-02 18:48:17 +08:00 · 2025-09-02 18:48:17 +08:00 · db75ba4357
parent 4016715187
commit db75ba4357
1 changed files with 4 additions and 0 deletions
--- a/src/auth.rs
+++ b/src/auth.rs
@ -173,6 +173,10 @@ impl AccessControl {
    fn verify_token<'a>(&'a self, token: &str, path: &str) -> Result<(String, &'a AccessPaths)> {
        let raw = hex::decode(token)?;

+        if raw.len() < 72 {
+            bail!("Invalid token");
+        }
+
        let sig_bytes = &raw[..64];
        let exp_bytes = &raw[64..72];
        let user_bytes = &raw[72..];