summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAzul <azul@leap.se>2013-08-08 14:26:10 +0200
committerAzul <azul@leap.se>2013-08-08 14:26:10 +0200
commit31441fc921c3a60bff7c606f1da343fdd62d80d5 (patch)
tree3526360311a2fc2c3194480b50a397c5fe8e2840
parent1a3fdad01d9cb2e2596281d38ce0c0f1ad4da04a (diff)
parenta0b276e4b8ae86dec7deee898e85b65784d89933 (diff)
Merge branch 'bugfix/3410-close-srp-vulnerablility'
-rw-r--r--users/config/locales/en.yml1
-rw-r--r--users/leap_web_users.gemspec2
-rw-r--r--users/lib/warden/strategies/secure_remote_password.rb2
-rw-r--r--users/test/integration/browser/account_test.rb20
4 files changed, 24 insertions, 1 deletions
diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index 1aa7005..62f822c 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -12,6 +12,7 @@ en:
change_password: "Change Password"
login_message: "Please log in with your account."
invalid_user_pass: "Not a valid username/password combination"
+ invalid_ephemeral: "Invalid random key used. This looked like an attempt to hack the site to us. If it wasn't please contact support so we can look into the issue."
all_strategies_failed: "Could not understand your login attempt. Please first send your login and a SRP ephemeral value A and then send the client_auth in the same session (using cookies)."
update_login_and_password: "Update Login and Password"
destroy_my_account: "Destroy my account"
diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec
index d33328a..7d1f220 100644
--- a/users/leap_web_users.gemspec
+++ b/users/leap_web_users.gemspec
@@ -17,6 +17,6 @@ Gem::Specification.new do |s|
s.add_dependency "leap_web_core", LeapWeb::VERSION
- s.add_dependency "ruby-srp", "~> 0.2.0"
+ s.add_dependency "ruby-srp", "~> 0.2.1"
s.add_dependency "rails_warden"
end
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 2c681be..4688fcd 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -49,6 +49,8 @@ module Warden
else
fail! :base => 'invalid_user_pass'
end
+ rescue SRP::InvalidEphemeral
+ fail!(:base => "invalid_ephemeral")
end
def json_response(object)
diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb
index ce63baf..c65c491 100644
--- a/users/test/integration/browser/account_test.rb
+++ b/users/test/integration/browser/account_test.rb
@@ -20,4 +20,24 @@ class AccountTest < BrowserIntegrationTest
assert_equal '/', current_path
end
+ # trying to seed an invalid A for srp login
+ test "detects attempt to circumvent SRP" do
+ user = FactoryGirl.create :user
+ visit '/sessions/new'
+ fill_in 'Username', with: user.login
+ fill_in 'Password', with: "password"
+ inject_malicious_js
+ click_on 'Log In'
+ assert !page.has_content?("Welcome")
+ assert page.has_content?("Invalid random key")
+ end
+
+ def inject_malicious_js
+ page.execute_script <<-EOJS
+ var calc = new srp.Calculate();
+ calc.A = function(_a) {return "00";};
+ calc.S = calc.A;
+ srp.session = new srp.Session(null, calc);
+ EOJS
+ end
end