[Security Issue] Sensitive Data Exposure (Token)

[im-soohyun]

Description

---

Vulnerability Overview

This vulnerability involves JWT tokens being exposed in URL query parameters when accessing OPAL server data configuration endpoints.

Affected Code

• opal/packages/opal-server/opal_server/scopes/api.py

  Lines 331 to 332 in df69da9

  	redirect_url = set_url_query_param(url, "token", token)
  	return RedirectResponse(url=redirect_url)

• opal/packages/opal-server/opal_server/data/api.py

  Lines 98 to 99 in df69da9

  	redirect_url = set_url_query_param(url, "token", token)
  	return RedirectResponse(url=redirect_url)

Issue Details

• JWT tokens are passed as URL query parameters, which risks exposure via web server logs, browser history, Referer headers, and other sources.
• While logs mask a portion of the token (short_token), the actual redirect URL can contain the complete token.

---

PoC

Environment Setup

docker run -d --name opal-example-opal_server-1 \
  -p 7002:7002 \
  -e OPAL_POLICY_SOURCE_TYPE=GIT \
  -e OPAL_POLICY_REPO_URL="https://github.com/permitio/opal-example-policy-repo" \
  -e OPAL_DATA_CONFIG_SOURCES='{"external_source_url":"https://webhook.site/4b07aedd-1ed5-4c7b-bf00-ba65a4756b13"}' \
  permitio/opal-server:latest

curl Example

curl -s -L -o /dev/null \
  -H "Authorization: Bearer 123123-1231231-123123" \
  http://localhost:7002/data/config

---

Impact

Information Exposure

JWT tokens exposed in URLs may be leaked to third parties via web server logs, browser history, and Referer headers.

Session Hijacking

Attackers who acquire valid JWT tokens can compromise user sessions and access privileged resources.