Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate verification code input before sending it #103

Merged
merged 11 commits into from
Nov 13, 2024
Merged

Validate verification code input before sending it #103

merged 11 commits into from
Nov 13, 2024

Conversation

marlam
Copy link
Contributor

@marlam marlam commented Oct 17, 2024

This makes sure that the verification code only contains characters a-z A-Z 0-9, and is of limited length.

Otherwise it is possible for a user to cause arbitrary data to be sent to the server, including invalid JSON. This could be a problem if the JSON parser on the receiving end has bugs.

For example, code input 'A"}BBBBBBBB...' would lead to JSON data '{"session_id":"SESSIONID","pin":"A"}BBBBBBBB..."}' to be sent to the server.

Validate verification code input before sending it
6027aa2 
This makes sure that the verification code only contains characters a-z A-Z
0-9, and is of limited length.

Otherwise it is possible for a user to cause arbitrary data to be sent to the
server, including invalid JSON. This could be a problem if the JSON parser on
the receiving end has bugs.

For example, code input 'A"}BBBBBBBB...' would lead to JSON data
'{"session_id":"SESSIONID","pin":"A"}BBBBBBBB..."}' to be sent to the server.
@codecov Codecov
Copy link

codecov bot commented Oct 17, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.85714% with 1 line in your changes missing coverage. Please review.

Project coverage is 72.87%. Comparing base (0b91f62) to head (7aae388).
Report is 10 commits behind head on main.

Files with missing lines Patch % Lines
src/tty.c 91.66% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #103      +/-   ##
==========================================
+ Coverage   72.51%   72.87%   +0.35%     
==========================================
  Files           6        6              
  Lines         302      306       +4     
  Branches       47       47              
==========================================
+ Hits          219      223       +4     
  Misses         71       71              
  Partials       12       12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mrvanes
Copy link
Contributor

mrvanes commented Oct 18, 2024

When using pamtester to test the PR, I get a segmentation fault on and empty code response:

Enter verification code: <enter>
Segmentation fault

It would be nice if you could extend the validation to the username input and return a permission denied on invalid usernames:

$ sudo pamtester weblogin '"a}aaa"' authenticate
Server error!
pamtester: System error

@marlam
Copy link
Contributor Author

marlam commented Oct 18, 2024
edited
Loading

I fixed the segfault - I overlooked that tty_input() returns NULL on empty input.

This can also bite the group input, I opened PR #104 for this.

I will extent this to cover user names in a separate PR commit, because that requires a small extension of input_is_safe().

@mrvanes mrvanes linked an issue Oct 18, 2024 that may be closed by this pull request
Better sanitation for variables fetch from pam_get_item() #99
Closed
@marlam marlam mentioned this pull request Oct 18, 2024
Closed
baszoetekouw
baszoetekouw requested changes Nov 1, 2024
View reviewed changes
Copy link
Member

@baszoetekouw baszoetekouw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Martin!
Thanks for this PR. Looks good in principle, but I think we should be a bit more careful with the string manipulations (see comments).

src/tty.c Outdated Show resolved Hide resolved
src/tty.c Outdated Show resolved Hide resolved
@baszoetekouw baszoetekouw merged commit c9f6815 into SURFscz:main Nov 13, 2024
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baszoetekouw baszoetekouw baszoetekouw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Better sanitation for variables fetch from pam_get_item()
3 participants
@marlam @mrvanes @baszoetekouw