upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-15 22:11:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

Merge pull request #31658 from nextcloud/bugfix/noid/limit-token-names

Browse source 
Limit the length of app password names
This commit is contained in:
Joas Schilling 2022-03-23 14:12:20 +01:00 committed by GitHub
commit c1215f573a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 81 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
apps/settings/lib/Controller/AuthSettingsController.php
View file

@ -145,6 +145,10 @@ class AuthSettingsController extends Controller {
return $this->getServiceNotAvailableResponse();
}
if (mb_strlen($name) > 128) {
$name = mb_substr($name, 0, 120) . '…';
}
$token = $this->generateRandomDeviceToken();
$deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
$tokenData = $deviceToken->jsonSerialize();
@ -241,6 +245,10 @@ class AuthSettingsController extends Controller {
$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
}
if (mb_strlen($name) > 128) {
$name = mb_substr($name, 0, 120) . '…';
}
if ($token instanceof INamedToken && $name !== $currentName) {
$token->setName($name);
$this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]);

3
core/Controller/AppPasswordController.php
View file

@ -99,6 +99,9 @@ class AppPasswordController extends \OCP\AppFramework\OCSController {
}
$userAgent = $this->request->getHeader('USER_AGENT');
if (mb_strlen($userAgent) > 128) {
$userAgent = mb_substr($userAgent, 0, 120) . '…';
}
$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

4
core/Controller/ClientFlowLoginController.php
View file

@ -322,6 +322,10 @@ class ClientFlowLoginController extends Controller {
$clientName = $client->getName();
}
if (mb_strlen($clientName) > 128) {
$clientName = mb_substr($clientName, 0, 120) . '…';
}
$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$uid = $this->userSession->getUser()->getUID();
$generatedToken = $this->tokenProvider->generateToken(

4
lib/private/Authentication/Token/Manager.php
View file

@ -61,6 +61,10 @@ class Manager implements IProvider {
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
if (mb_strlen($name) > 128) {
throw new InvalidTokenException('The given name is too long');
}
try {
return $this->publicKeyTokenProvider->generateToken(
$token,

4
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file

@ -84,6 +84,10 @@ class PublicKeyTokenProvider implements IProvider {
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
if (mb_strlen($name) > 128) {
throw new InvalidTokenException('The given name is too long');
}
$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
$this->mapper->insert($dbToken);

83
tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
View file

@ -80,10 +80,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -96,6 +93,22 @@ class PublicKeyTokenProviderTest extends TestCase {
$this->assertSame($password, $this->tokenProvider->getPassword($actual, $token));
}
public function testGenerateTokenInvalidName() {
$this->expectException(\OC\Authentication\Exceptions\InvalidTokenException::class);
$token = 'token';
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
}
public function testUpdateToken() {
$tk = new PublicKeyToken();
$this->mapper->expects($this->once())
@ -137,10 +150,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -167,10 +177,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -183,10 +190,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -246,12 +250,12 @@ class PublicKeyTokenProviderTest extends TestCase {
['session_lifetime', $defaultSessionLifetime, 150],
['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300],
]);
$this->mapper->expects($this->at(0))
$this->mapper->expects($this->exactly(2))
->method('invalidateOld')
->with($this->time - 150);
$this->mapper->expects($this->at(1))
->method('invalidateOld')
->with($this->time - 300);
->withConsecutive(
[$this->time - 150],
[$this->time - 300]
);
$this->tokenProvider->invalidateOldTokens();
}
@ -261,21 +265,18 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = null;
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
$this->mapper
->expects($this->at(0))
->expects($this->once())
->method('getToken')
->with(hash('sha512', 'oldId' . '1f4h9s'))
->willReturn($oldToken);
$this->mapper
->expects($this->at(1))
->expects($this->once())
->method('insert')
->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) {
return $token->getUID() === $uid &&
@ -286,7 +287,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$token->getPassword() === null;
}));
$this->mapper
->expects($this->at(2))
->expects($this->once())
->method('delete')
->with($this->callback(function ($token) use ($oldToken) {
return $token === $oldToken;
@ -300,21 +301,18 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'password';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
$this->mapper
->expects($this->at(0))
->expects($this->once())
->method('getToken')
->with(hash('sha512', 'oldId' . '1f4h9s'))
->willReturn($oldToken);
$this->mapper
->expects($this->at(1))
->expects($this->once())
->method('insert')
->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) {
return $token->getUID() === $uid &&
@ -326,7 +324,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$this->tokenProvider->getPassword($token, 'newId') === 'password';
}));
$this->mapper
->expects($this->at(2))
->expects($this->once())
->method('delete')
->with($this->callback(function ($token) use ($oldToken) {
return $token === $oldToken;
@ -370,10 +368,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'passme';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -438,10 +433,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = 'password';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
@ -456,10 +448,7 @@ class PublicKeyTokenProviderTest extends TestCase {
$uid = 'user';
$user = 'User';
$password = null;
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
$type = IToken::PERMANENT_TOKEN;
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);

48
tests/lib/Authentication/TwoFactorAuth/ManagerTest.php
View file

@ -376,13 +376,13 @@ class ManagerTest extends TestCase {
->method('get')
->with('two_factor_remember_login')
->willReturn(false);
$this->session->expects($this->at(1))
$this->session->expects($this->exactly(2))
->method('remove')
->with('two_factor_auth_uid');
$this->session->expects($this->at(2))
->method('remove')
->with('two_factor_remember_login');
$this->session->expects($this->at(3))
->withConsecutive(
['two_factor_auth_uid'],
['two_factor_remember_login']
);
$this->session->expects($this->once())
->method('set')
->with(Manager::SESSION_UID_DONE, 'jos');
$this->session->method('getId')
@ -494,17 +494,13 @@ class ManagerTest extends TestCase {
public function testNeedsSecondFactor() {
$user = $this->createMock(IUser::class);
$this->session->expects($this->at(0))
$this->session->expects($this->exactly(3))
->method('exists')
->with('app_password')
->willReturn(false);
$this->session->expects($this->at(1))
->method('exists')
->with('two_factor_auth_uid')
->willReturn(false);
$this->session->expects($this->at(2))
->method('exists')
->with(Manager::SESSION_UID_DONE)
->withConsecutive(
['app_password'],
['two_factor_auth_uid'],
[Manager::SESSION_UID_DONE],
)
->willReturn(false);
$this->session->method('getId')
@ -575,12 +571,12 @@ class ManagerTest extends TestCase {
$this->user->method('getUID')
->willReturn('ferdinand');
$this->session->expects($this->at(0))
$this->session->expects($this->exactly(2))
->method('set')
->with('two_factor_auth_uid', 'ferdinand');
$this->session->expects($this->at(1))
->method('set')
->with('two_factor_remember_login', true);
->withConsecutive(
['two_factor_auth_uid', 'ferdinand'],
['two_factor_remember_login', true]
);
$this->session->method('getId')
->willReturn('mysessionid');
@ -605,12 +601,12 @@ class ManagerTest extends TestCase {
$this->user->method('getUID')
->willReturn('ferdinand');
$this->session->expects($this->at(0))
$this->session->expects($this->exactly(2))
->method('set')
->with('two_factor_auth_uid', 'ferdinand');
$this->session->expects($this->at(1))
->method('set')
->with('two_factor_remember_login', false);
->withConsecutive(
['two_factor_auth_uid', 'ferdinand'],
['two_factor_remember_login', false]
);
$this->session->method('getId')
->willReturn('mysessionid');