diff options
| author | Azul <azul@leap.se> | 2013-08-08 14:26:10 +0200 |
|---|---|---|
| committer | Azul <azul@leap.se> | 2013-08-08 14:26:10 +0200 |
| commit | 31441fc921c3a60bff7c606f1da343fdd62d80d5 (patch) | |
| tree | 3526360311a2fc2c3194480b50a397c5fe8e2840 | |
| parent | 1a3fdad01d9cb2e2596281d38ce0c0f1ad4da04a (diff) | |
| parent | a0b276e4b8ae86dec7deee898e85b65784d89933 (diff) | |
Merge branch 'bugfix/3410-close-srp-vulnerablility'
| -rw-r--r-- | users/config/locales/en.yml | 1 | ||||
| -rw-r--r-- | users/leap_web_users.gemspec | 2 | ||||
| -rw-r--r-- | users/lib/warden/strategies/secure_remote_password.rb | 2 | ||||
| -rw-r--r-- | users/test/integration/browser/account_test.rb | 20 |
4 files changed, 24 insertions, 1 deletions
diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml index 1aa7005..62f822c 100644 --- a/users/config/locales/en.yml +++ b/users/config/locales/en.yml @@ -12,6 +12,7 @@ en: change_password: "Change Password" login_message: "Please log in with your account." invalid_user_pass: "Not a valid username/password combination" + invalid_ephemeral: "Invalid random key used. This looked like an attempt to hack the site to us. If it wasn't please contact support so we can look into the issue." all_strategies_failed: "Could not understand your login attempt. Please first send your login and a SRP ephemeral value A and then send the client_auth in the same session (using cookies)." update_login_and_password: "Update Login and Password" destroy_my_account: "Destroy my account" diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index d33328a..7d1f220 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -17,6 +17,6 @@ Gem::Specification.new do |s| s.add_dependency "leap_web_core", LeapWeb::VERSION - s.add_dependency "ruby-srp", "~> 0.2.0" + s.add_dependency "ruby-srp", "~> 0.2.1" s.add_dependency "rails_warden" end diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb index 2c681be..4688fcd 100644 --- a/users/lib/warden/strategies/secure_remote_password.rb +++ b/users/lib/warden/strategies/secure_remote_password.rb @@ -49,6 +49,8 @@ module Warden else fail! :base => 'invalid_user_pass' end + rescue SRP::InvalidEphemeral + fail!(:base => "invalid_ephemeral") end def json_response(object) diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index ce63baf..c65c491 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -20,4 +20,24 @@ class AccountTest < BrowserIntegrationTest assert_equal '/', current_path end + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + user = FactoryGirl.create :user + visit '/sessions/new' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert !page.has_content?("Welcome") + assert page.has_content?("Invalid random key") + end + + def inject_malicious_js + page.execute_script <<-EOJS + var calc = new srp.Calculate(); + calc.A = function(_a) {return "00";}; + calc.S = calc.A; + srp.session = new srp.Session(null, calc); + EOJS + end end |