Fix reference token privilege escalation

Author: reshmifrog

common/commands/config.go

@@ -47,7 +47,8 @@ const (
 
 const (
 	// Default config command name.
-	configCommandName = "config"
+	configCommandName    = "config"
+	referenceTokenPrefix = "cmVmdGtuOj"
 )
 
 // Internal golang locking for the same process.
@@ -295,10 +296,21 @@ func (cc *ConfigCommand) configRefreshableTokenIfPossible() {
 	if cc.details.User == "" || cc.details.Password == "" {
 		return
 	}
+	if isReferenceToken(cc.details.Password) {
+		log.Info("Detected a reference token as the password. Using basic authentication to preserve " +
+			"the token's restricted scope. The automatic token refresh mechanism is disabled.")
+		cc.useBasicAuthOnly = true
+		return
+	}
 	// Set the default interval for the refreshable tokens to be initialized in the next CLI run.
 	cc.details.ArtifactoryTokenRefreshInterval = coreutils.TokenRefreshDefaultInterval
 }
 
+// isReferenceToken checks whether the given value is a JFrog reference token.
+func isReferenceToken(token string) bool {
+	return strings.HasPrefix(token, referenceTokenPrefix)
+}
+
 func (cc *ConfigCommand) prepareConfigurationData() ([]*config.ServerDetails, error) {
 	// If details is nil, initialize a new one
 	if cc.details == nil {

common/commands/config_test.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"github.com/jfrog/jfrog-cli-core/v2/general/token"
 	"os"
@@ -16,6 +17,10 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func getReferenceToken(suffix string) string {
+	return base64.StdEncoding.EncodeToString([]byte("reftkn:01:1776144219:" + suffix))
+}
+
 const (
 	testServerId = "test"
 	//#nosec G101 - Dummy token for tests.
@@ -191,6 +196,52 @@ func TestBasicAuthOnlyOption(t *testing.T) {
 	assert.NoError(t, NewConfigCommand(Delete, testServerId).Run())
 }
 
+func TestReferenceTokenAutoDetection(t *testing.T) {
+	cleanUpJfrogHome, err := utilsTests.SetJfrogHome()
+	assert.NoError(t, err)
+	defer cleanUpJfrogHome()
+
+	inputDetails := tests.CreateTestServerDetails()
+	inputDetails.User = "testuser"
+
+	inputDetails.Password = getReferenceToken("RefToken")
+	outputConfig, err := configAndGetTestServer(t, inputDetails, false, false)
+	assert.NoError(t, err)
+	assert.Equal(t, coreutils.TokenRefreshDisabled, outputConfig.ArtifactoryTokenRefreshInterval,
+		"Reference token detected: token refresh should be auto-disabled")
+	assert.NoError(t, NewConfigCommand(Delete, testServerId).Run())
+
+	// Regular password (not a reference token) should still enable token refresh.
+	inputDetails.Password = "my-regular-password"
+	inputDetails.ArtifactoryTokenRefreshInterval = 0
+	outputConfig, err = configAndGetTestServer(t, inputDetails, false, false)
+	assert.NoError(t, err)
+	assert.Equal(t, coreutils.TokenRefreshDefaultInterval, outputConfig.ArtifactoryTokenRefreshInterval,
+		"Regular password: token refresh should remain enabled")
+	assert.NoError(t, NewConfigCommand(Delete, testServerId).Run())
+}
+
+func TestIsReferenceToken(t *testing.T) {
+	tests := []struct {
+		name     string
+		token    string
+		expected bool
+	}{
+		{"valid reference token", getReferenceToken("refToken"), true},
+		{"regular password", "my-password-123", false},
+		{"API key", "AKCp8kqqMa7buMW3FeN28joXt", false},
+		{"JWT access token", "eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0In0.signature", false},
+		{"empty string", "", false},
+		{"partial prefix only reftkn", base64.StdEncoding.EncodeToString([]byte("reftkn")) + "XYZ", false},
+		{"prefix without colon separator", base64.StdEncoding.EncodeToString([]byte("reftkn")) + "SomePassword", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, isReferenceToken(tt.token))
+		})
+	}
+}
+
 func TestMakeDefaultOption(t *testing.T) {
 	cleanUpJfrogHome, err := utilsTests.SetJfrogHome()
 	assert.NoError(t, err)

utils/config/tokenrefresh.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"errors"
+	"strings"
 	"sync"
 	"time"
 
@@ -19,6 +20,8 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/log"
 )
 
+const referenceTokenPrefix = "cmVmdGtuOj"
+
 // Internal golang locking for the same process.
 var mutex sync.Mutex
 
@@ -206,6 +209,12 @@ func CreateInitialRefreshableTokensIfNeeded(serverDetails *ServerDetails) (err e
 	if serverDetails.ArtifactoryTokenRefreshInterval <= 0 || serverDetails.ArtifactoryRefreshToken != "" || serverDetails.AccessToken != "" {
 		return nil
 	}
+	if strings.HasPrefix(serverDetails.Password, referenceTokenPrefix) {
+		log.Info("Reference token detected as password. Skipping automatic token creation " +
+			"to preserve the token's restricted scope.")
+		serverDetails.ArtifactoryTokenRefreshInterval = 0
+		return nil
+	}
 	mutex.Lock()
 	defer mutex.Unlock()
 	lockDirPath, err := coreutils.GetJfrogConfigLockDir()

utils/config/tokenrefresh_test.go

@@ -1,12 +1,23 @@
 package config
 
 import (
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"sync"
 	"testing"
 
 	configtests "github.com/jfrog/jfrog-cli-core/v2/utils/config/tests"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
+func fakeReferenceToken(suffix string) string {
+	return base64.StdEncoding.EncodeToString([]byte("reftkn:01:1776144219:" + suffix))
+}
+
 func TestCreateInitialRefreshableTokensIfNeededEarlyReturns(t *testing.T) {
 	tests := []struct {
 		name                          string
@@ -570,3 +581,89 @@ func TestCreateInitialRefreshableTokensIfNeededBranchCoverage(t *testing.T) {
 		assert.NotNil(t, serverDetails)
 	})
 }
+
+func TestReferenceTokenBlocksTokenCreation_MockServer(t *testing.T) {
+	cleanUpTempEnv := configtests.CreateTempEnv(t, false)
+	defer cleanUpTempEnv()
+
+	var mu sync.Mutex
+	var tokenRequestReceived bool
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/api/system/version" {
+			w.WriteHeader(http.StatusOK)
+			resp := map[string]string{"version": "7.77.0", "revision": "12345"}
+			json.NewEncoder(w).Encode(resp)
+			return
+		}
+		if r.URL.Path == "/api/security/token" && r.Method == http.MethodPost {
+			mu.Lock()
+			tokenRequestReceived = true
+			mu.Unlock()
+			w.Header().Set("Content-Type", "application/json")
+			resp := map[string]interface{}{
+				"access_token":  "mock-jwt-token",
+				"refresh_token": "mock-refresh-token",
+				"expires_in":    3600,
+				"scope":         "member-of-groups:*",
+				"token_type":    "Bearer",
+			}
+			json.NewEncoder(w).Encode(resp)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer mockServer.Close()
+
+	parsedURL, err := url.Parse(mockServer.URL)
+	require.NoError(t, err)
+	artURL := parsedURL.Scheme + "://" + parsedURL.Host + "/api/"
+
+	// Test 1: Reference token as password — should NOT trigger token creation
+	serverDetails := &ServerDetails{
+		ServerId:                        "test-ref-token-blocked",
+		ArtifactoryTokenRefreshInterval: 60,
+		ArtifactoryRefreshToken:         "",
+		AccessToken:                     "",
+		ArtifactoryUrl:                  mockServer.URL + "/",
+		Url:                             artURL,
+		User:                            "testuser",
+		Password:                        fakeReferenceToken("testBlockedToken"),
+	}
+
+	err = SaveServersConf([]*ServerDetails{serverDetails})
+	require.NoError(t, err)
+
+	err = CreateInitialRefreshableTokensIfNeeded(serverDetails)
+	assert.NoError(t, err)
+
+	mu.Lock()
+	assert.False(t, tokenRequestReceived,
+		"FIX VERIFIED: Reference token password should prevent token creation request")
+	assert.Equal(t, 0, serverDetails.ArtifactoryTokenRefreshInterval,
+		"Token refresh interval should be reset to 0 for reference tokens")
+	tokenRequestReceived = false
+	mu.Unlock()
+
+	// Test 2: Regular password — SHOULD trigger token creation
+	serverDetails2 := &ServerDetails{
+		ServerId:                        "test-regular-pass",
+		ArtifactoryTokenRefreshInterval: 60,
+		ArtifactoryRefreshToken:         "",
+		AccessToken:                     "",
+		ArtifactoryUrl:                  mockServer.URL + "/",
+		Url:                             artURL,
+		User:                            "testuser",
+		Password:                        "my-regular-password",
+	}
+
+	err = SaveServersConf([]*ServerDetails{serverDetails2})
+	require.NoError(t, err)
+
+	_ = CreateInitialRefreshableTokensIfNeeded(serverDetails2)
+
+	mu.Lock()
+	assert.True(t, tokenRequestReceived,
+		"Regular password should trigger token creation as before")
+	mu.Unlock()
+}