Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
Browse Source

Merge pull request #31658 from nextcloud/bugfix/noid/limit-token-names 

Limit the length of app password names
pull/31687/head
Joas Schilling 4 years ago
committed by GitHub
parent
0fa17f8902 343476f54f
commit
c1215f573a
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 81 additions and 73 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      apps/settings/lib/Controller/AuthSettingsController.php
  2. 3
      core/Controller/AppPasswordController.php
  3. 4
      core/Controller/ClientFlowLoginController.php
  4. 4
      lib/private/Authentication/Token/Manager.php
  5. 4
      lib/private/Authentication/Token/PublicKeyTokenProvider.php
  6. 83
      tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
  7. 48
      tests/lib/Authentication/TwoFactorAuth/ManagerTest.php

8
apps/settings/lib/Controller/AuthSettingsController.php
View File

@ -145,6 +145,10 @@ class AuthSettingsController extends Controller {
return $this->getServiceNotAvailableResponse();
}
if (mb_strlen($name) > 128) {
$name = mb_substr($name, 0, 120) . '…';
}
$token = $this->generateRandomDeviceToken();
$deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
$tokenData = $deviceToken->jsonSerialize();
@ -241,6 +245,10 @@ class AuthSettingsController extends Controller {
$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
}
if (mb_strlen($name) > 128) {
$name = mb_substr($name, 0, 120) . '…';
}
if ($token instanceof INamedToken && $name !== $currentName) {
$token->setName($name);
$this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]);

3
core/Controller/AppPasswordController.php
View File

@ -99,6 +99,9 @@ class AppPasswordController extends \OCP\AppFramework\OCSController {
}
$userAgent = $this->request->getHeader('USER_AGENT');
if (mb_strlen($userAgent) > 128) {
$userAgent = mb_substr($userAgent, 0, 120) . '…';
}
$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

4
core/Controller/ClientFlowLoginController.php
View File

@ -322,6 +322,10 @@ class ClientFlowLoginController extends Controller {
$clientName = $client->getName();
}
if (mb_strlen($clientName) > 128) {
$clientName = mb_substr($clientName, 0, 120) . '…';
}
$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$uid = $this->userSession->getUser()->getUID();
$generatedToken = $this->tokenProvider->generateToken(

4
lib/private/Authentication/Token/Manager.php
View File

@ -61,6 +61,10 @@ class Manager implements IProvider {
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
if (mb_strlen($name) > 128) {
throw new InvalidTokenException('The given name is too long');
}
try {
return $this->publicKeyTokenProvider->generateToken(
$token,

4
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View File

@ -84,6 +84,10 @@ class PublicKeyTokenProvider implements IProvider {
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
if (mb_strlen($name) > 128) {
throw new InvalidTokenException('The given name is too long');
}
$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
$this->mapper->insert($dbToken);

83
tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
View File

@ -80,10 +80,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -96,6 +93,22 @@ class PublicKeyTokenProviderTest extends TestCase {
$this->assertSame($password, $this->tokenProvider->getPassword($actual, $token));
}
public function testGenerateTokenInvalidName() {
$this->expectException(\OC\Authentication\Exceptions\InvalidTokenException::class);
$token = 'token';
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
}
public function testUpdateToken() {
$tk = new PublicKeyToken();
$this->mapper->expects($this->once())
@ -137,10 +150,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -167,10 +177,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -183,10 +190,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -246,12 +250,12 @@ class PublicKeyTokenProviderTest extends TestCase {
['session_lifetime', $defaultSessionLifetime, 150],
['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300],
]);
$this->mapper->expects($this->at(0))
->method('invalidateOld')
->with($this->time - 150);
$this->mapper->expects($this->at(1))
$this->mapper->expects($this->exactly(2))
->method('invalidateOld')
->with($this->time - 300);
->withConsecutive(
[$this->time - 150],
[$this->time - 300]
);
$this->tokenProvider->invalidateOldTokens();
}
@ -261,21 +265,18 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = null;
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
$this->mapper
->expects($this->at(0))
->expects($this->once())
->method('getToken')
->with(hash('sha512', 'oldId' . '1f4h9s'))
->willReturn($oldToken);
$this->mapper
->expects($this->at(1))
->expects($this->once())
->method('insert')
->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) {
return $token->getUID() === $uid &&
@ -286,7 +287,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$token->getPassword() === null;
}));
$this->mapper
->expects($this->at(2))
->expects($this->once())
->method('delete')
->with($this->callback(function ($token) use ($oldToken) {
return $token === $oldToken;
@ -300,21 +301,18 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'password';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
$this->mapper
->expects($this->at(0))
->expects($this->once())
->method('getToken')
->with(hash('sha512', 'oldId' . '1f4h9s'))
->willReturn($oldToken);
$this->mapper
->expects($this->at(1))
->expects($this->once())
->method('insert')
->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) {
return $token->getUID() === $uid &&
@ -326,7 +324,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$this->tokenProvider->getPassword($token, 'newId') === 'password';
}));
$this->mapper
->expects($this->at(2))
->expects($this->once())
->method('delete')
->with($this->callback(function ($token) use ($oldToken) {
return $token === $oldToken;
@ -370,10 +368,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -438,10 +433,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'password';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -456,10 +448,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = null;
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);

48
tests/lib/Authentication/TwoFactorAuth/ManagerTest.php
View File

@ -376,13 +376,13 @@ class ManagerTest extends TestCase {
->method('get')
->with('two_factor_remember_login')
->willReturn(false);
$this->session->expects($this->at(1))
$this->session->expects($this->exactly(2))
->method('remove')
->with('two_factor_auth_uid');
$this->session->expects($this->at(2))
->method('remove')
->with('two_factor_remember_login');
$this->session->expects($this->at(3))
->withConsecutive(
['two_factor_auth_uid'],
['two_factor_remember_login']
);
$this->session->expects($this->once())
->method('set')
->with(Manager::SESSION_UID_DONE, 'jos');
$this->session->method('getId')
@ -494,17 +494,13 @@ class ManagerTest extends TestCase {
public function testNeedsSecondFactor() {
$user = $this->createMock(IUser::class);
$this->session->expects($this->at(0))
->method('exists')
->with('app_password')
->willReturn(false);
$this->session->expects($this->at(1))
$this->session->expects($this->exactly(3))
->method('exists')
->with('two_factor_auth_uid')
->willReturn(false);
$this->session->expects($this->at(2))
->method('exists')
->with(Manager::SESSION_UID_DONE)
->withConsecutive(
['app_password'],
['two_factor_auth_uid'],
[Manager::SESSION_UID_DONE],
)
->willReturn(false);
$this->session->method('getId')
@ -575,12 +571,12 @@ class ManagerTest extends TestCase {
$this->user->method('getUID')
->willReturn('ferdinand');
$this->session->expects($this->at(0))
->method('set')
->with('two_factor_auth_uid', 'ferdinand');
$this->session->expects($this->at(1))
$this->session->expects($this->exactly(2))
->method('set')
->with('two_factor_remember_login', true);
->withConsecutive(
['two_factor_auth_uid', 'ferdinand'],
['two_factor_remember_login', true]
);
$this->session->method('getId')
->willReturn('mysessionid');
@ -605,12 +601,12 @@ class ManagerTest extends TestCase {
$this->user->method('getUID')
->willReturn('ferdinand');
$this->session->expects($this->at(0))
->method('set')
->with('two_factor_auth_uid', 'ferdinand');
$this->session->expects($this->at(1))
$this->session->expects($this->exactly(2))
->method('set')
->with('two_factor_remember_login', false);
->withConsecutive(
['two_factor_auth_uid', 'ferdinand'],
['two_factor_remember_login', false]
);
$this->session->method('getId')
->willReturn('mysessionid');

Write Preview
Loading…
Cancel
Save