fix(security): prevent session hijack via cleanup OOM and stale credential reuse#6
Draft
fix(security): prevent session hijack via cleanup OOM and stale credential reuse#6
Conversation
…tial reuse Finding 1 (Critical): ngx_http_upstream_free_ntlm_peer - when ngx_pool_cleanup_add returns NULL, undo the cache insertion and goto invalid instead of silently continuing. Escalate log level to NGX_LOG_ERR so the failure is visible in production logs. Finding 2 (High): ngx_http_upstream_get_ntlm_peer - when a cached upstream connection exists for the client but the current request carries new NTLM/Negotiate credentials (ntlm_init==1) and the upstream connection has already completed the handshake (c->requests >= 2), evict and close the old authenticated session rather than silently reusing it for a potentially different identity. The c->requests >= 2 threshold lets the mid-handshake Type-3 message still reuse the same upstream TCP connection (requests==1 at that point) while catching any subsequent re-authentication attempt. Add TEST 5 to t/001-sanity.t covering the re-auth eviction path. Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/97e86965-9ec8-4edf-8181-22e3722b03fd Co-authored-by: dsabotta <262123149+dsabotta@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/97e86965-9ec8-4edf-8181-22e3722b03fd Co-authored-by: dsabotta <262123149+dsabotta@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
dsabotta
May 6, 2026 14:07
View session
4 tasks
Copilot AI
added a commit
that referenced
this pull request
May 7, 2026
- Rewrites ngx_http_upstream_ntlm_module.c with four documented security invariants: I1. Atomic item release via ngx_http_upstream_ntlm_item_release() helper I2. c->read->data (not c->data) for cache item storage on idle connections I3. OOM guard: cleanup-add failure aborts cache insertion (session-hijack fix) I4. Stale-credential eviction on re-auth with established session - Fixes from all open PRs (#3, #6, #7): - Synchronous cleanup handler (no posted events) - Session-hijack via cleanup-OOM (critical) - Stale-credential reuse on established connections (high) - client_connection NULL in eviction path - Fault-injection macro NGX_NTLM_TEST_CLEANUP_NULL for testing - Adds ntlm_time and ntlm_requests directives - Adds notify peer callback pass-through - Updates README.md for v2 with security section - Updates Docker files to nginx 1.28.0 / alpine 3.20 - Adds TEST 5 (stale credential eviction) and TEST 6 (OOM guard, SKIP) to t/001-sanity.t Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/3343cf49-d4a7-4188-89b8-5a89fad4a7fe Co-authored-by: matthias-lay <163420385+matthias-lay@users.noreply.github.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two security vulnerabilities in the NTLM upstream module's session/connection cache allow an authenticated upstream session to be handed to the wrong client.
Finding 1 — Session hijack via cleanup handler registration failure (Critical)
ngx_pool_cleanup_addreturningNULLwas silently ignored: the upstream connection was still inserted into the cache with aclient_connectionpointer that nginx may later recycle for a different client.get_ntlm_peermatches purely on that pointer, so the new client inherits the old authenticated session (ABA pointer-reuse hijack).Fix: on
NULLreturn, undo the cache insertion (clearin_cache, null both connection pointers, return item to free list) andgoto invalid. Log atNGX_LOG_ERRinstead ofNGX_LOG_DEBUGso the failure is visible in production.Finding 2 — Stale credential reuse on an established connection (High)
When a subsequent request on the same keep-alive client TCP connection arrives with new
NTLM/Negotiatecredentials, the module previously ignored them and silently reused the existing authenticated upstream session.Fix: in
get_ntlm_peer, before committing to a cache hit, evict and close the old session whenntlm_init == 1(new credentials present) andc->requests >= 2(handshake complete). The>= 2threshold is intentional: the NTLM Type-3 message must reuse the same upstream TCP connection as the Type-1 exchange (c->requests == 1at that point); only post-handshake re-authentication attempts are rejected.Test
Adds TEST 5 to
t/001-sanity.t: three pipelined requests on one client TCP connection —NTLM token_A, no auth,NTLM token_B— asserting the third response carriesX-NGX-NTLM-AUTH: token_B, nottoken_A.