Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate verification code input before sending it #103

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Validate verification code input before sending it #103

wants to merge 9 commits into from

Conversation

marlam
Copy link
Contributor

@marlam marlam commented Oct 17, 2024

This makes sure that the verification code only contains characters a-z A-Z 0-9, and is of limited length.

Otherwise it is possible for a user to cause arbitrary data to be sent to the server, including invalid JSON. This could be a problem if the JSON parser on the receiving end has bugs.

For example, code input 'A"}BBBBBBBB...' would lead to JSON data '{"session_id":"SESSIONID","pin":"A"}BBBBBBBB..."}' to be sent to the server.

Validate verification code input before sending it
6027aa2 
This makes sure that the verification code only contains characters a-z A-Z
0-9, and is of limited length.

Otherwise it is possible for a user to cause arbitrary data to be sent to the
server, including invalid JSON. This could be a problem if the JSON parser on
the receiving end has bugs.

For example, code input 'A"}BBBBBBBB...' would lead to JSON data
'{"session_id":"SESSIONID","pin":"A"}BBBBBBBB..."}' to be sent to the server.
@codecov Codecov
Copy link

codecov bot commented Oct 17, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.85714% with 1 line in your changes missing coverage. Please review.

Project coverage is 72.87%. Comparing base (e5a0b54) to head (9d43607).
Report is 10 commits behind head on main.

Files with missing lines Patch % Lines
src/tty.c 91.66% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #103      +/-   ##
==========================================
+ Coverage   71.02%   72.87%   +1.85%     
==========================================
  Files           6        6              
  Lines         283      306      +23     
  Branches       44       47       +3     
==========================================
+ Hits          201      223      +22     
  Misses         71       71              
- Partials       11       12       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mrvanes
Copy link
Contributor

mrvanes commented Oct 18, 2024

When using pamtester to test the PR, I get a segmentation fault on and empty code response:

Enter verification code: <enter>
Segmentation fault

It would be nice if you could extend the validation to the username input and return a permission denied on invalid usernames:

$ sudo pamtester weblogin '"a}aaa"' authenticate
Server error!
pamtester: System error

@marlam
Copy link
Contributor Author

marlam commented Oct 18, 2024
edited
Loading

I fixed the segfault - I overlooked that tty_input() returns NULL on empty input.

This can also bite the group input, I opened PR #104 for this.

I will extent this to cover user names in a separate PR commit, because that requires a small extension of input_is_safe().

@mrvanes mrvanes linked an issue Oct 18, 2024 that may be closed by this pull request
Better sanitation for variables fetch from pam_get_item() #99
Open
@marlam marlam mentioned this pull request Oct 18, 2024
Open
baszoetekouw
baszoetekouw requested changes Nov 1, 2024
View reviewed changes
Copy link
Member

@baszoetekouw baszoetekouw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Martin!
Thanks for this PR. Looks good in principle, but I think we should be a bit more careful with the string manipulations (see comments).

src/tty.c
@@ -77,6 +77,35 @@ char *tty_input(pam_handle_t *pamh, const char *text, int echo_code)
return ret;
}

int input_is_safe(const char *input, size_t max_length)
{
size_t length = strlen(input);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not safe. If input isn't terminated by a \0, strlen() will run into unrelated memory. This is unlikely but could possibly occur.

The better solution is to use strnlen() and then make sure that the string is 0-terminated. Or use strndup() to make a local copy of the string.

src/tty.c
@@ -77,6 +77,35 @@ char *tty_input(pam_handle_t *pamh, const char *text, int echo_code)
return ret;
}

int input_is_safe(const char *input, size_t max_length)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you intend to return a true/false value, please use an explicit bool value for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baszoetekouw baszoetekouw baszoetekouw requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Better sanitation for variables fetch from pam_get_item()
3 participants
@marlam @mrvanes @baszoetekouw