diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2022-03-23 14:12:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-23 14:12:20 +0100 |
| commit | c1215f573ae98fb3cf66f9ff5dc408574a7df560 (patch) | |
| tree | bf688953404dae6ca0488cca0391fb0491eddb65 | |
| parent | 0fa17f8902e7391f189227b406a0058af6c4a4e0 (diff) | |
| parent | 343476f54f9d1fab088c3ef17827a49630f591c0 (diff) | |
| download | nextcloud-server-c1215f573ae98fb3cf66f9ff5dc408574a7df560.tar.gz nextcloud-server-c1215f573ae98fb3cf66f9ff5dc408574a7df560.zip | |
Merge pull request #31658 from nextcloud/bugfix/noid/limit-token-names
Limit the length of app password names
7 files changed, 81 insertions, 73 deletions
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index 3255fcce56e..38db7be1e91 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -145,6 +145,10 @@ class AuthSettingsController extends Controller { return $this->getServiceNotAvailableResponse(); } + if (mb_strlen($name) > 128) { + $name = mb_substr($name, 0, 120) . '…'; + } + $token = $this->generateRandomDeviceToken(); $deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN); $tokenData = $deviceToken->jsonSerialize(); @@ -241,6 +245,10 @@ class AuthSettingsController extends Controller { $this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]); } + if (mb_strlen($name) > 128) { + $name = mb_substr($name, 0, 120) . '…'; + } + if ($token instanceof INamedToken && $name !== $currentName) { $token->setName($name); $this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]); diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php index 41f0f6e4f27..7cc0310746d 100644 --- a/core/Controller/AppPasswordController.php +++ b/core/Controller/AppPasswordController.php @@ -99,6 +99,9 @@ class AppPasswordController extends \OCP\AppFramework\OCSController { } $userAgent = $this->request->getHeader('USER_AGENT'); + if (mb_strlen($userAgent) > 128) { + $userAgent = mb_substr($userAgent, 0, 120) . '…'; + } $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index e067f0ff6b5..ff6b8888884 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -322,6 +322,10 @@ class ClientFlowLoginController extends Controller { $clientName = $client->getName(); } + if (mb_strlen($clientName) > 128) { + $clientName = mb_substr($clientName, 0, 120) . '…'; + } + $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $uid = $this->userSession->getUser()->getUID(); $generatedToken = $this->tokenProvider->generateToken( diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index 0a7a821e23e..ae0874733f8 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -61,6 +61,10 @@ class Manager implements IProvider { string $name, int $type = IToken::TEMPORARY_TOKEN, int $remember = IToken::DO_NOT_REMEMBER): IToken { + if (mb_strlen($name) > 128) { + throw new InvalidTokenException('The given name is too long'); + } + try { return $this->publicKeyTokenProvider->generateToken( $token, diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index d2ee47cf380..26337029d77 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -84,6 +84,10 @@ class PublicKeyTokenProvider implements IProvider { string $name, int $type = IToken::TEMPORARY_TOKEN, int $remember = IToken::DO_NOT_REMEMBER): IToken { + if (mb_strlen($name) > 128) { + throw new InvalidTokenException('The given name is too long'); + } + $dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember); $this->mapper->insert($dbToken); diff --git a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php index 062d1840a5f..f6067b8d15a 100644 --- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php +++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php @@ -80,10 +80,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'passme'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); @@ -96,6 +93,22 @@ class PublicKeyTokenProviderTest extends TestCase { $this->assertSame($password, $this->tokenProvider->getPassword($actual, $token)); } + public function testGenerateTokenInvalidName() { + $this->expectException(\OC\Authentication\Exceptions\InvalidTokenException::class); + + $token = 'token'; + $uid = 'user'; + $user = 'User'; + $password = 'passme'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' + . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' + . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' + . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $type = IToken::PERMANENT_TOKEN; + + $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); + } + public function testUpdateToken() { $tk = new PublicKeyToken(); $this->mapper->expects($this->once()) @@ -137,10 +150,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'passme'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); @@ -167,10 +177,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'passme'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); @@ -183,10 +190,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'passme'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); @@ -246,12 +250,12 @@ class PublicKeyTokenProviderTest extends TestCase { ['session_lifetime', $defaultSessionLifetime, 150], ['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300], ]); - $this->mapper->expects($this->at(0)) - ->method('invalidateOld') - ->with($this->time - 150); - $this->mapper->expects($this->at(1)) + $this->mapper->expects($this->exactly(2)) ->method('invalidateOld') - ->with($this->time - 300); + ->withConsecutive( + [$this->time - 150], + [$this->time - 300] + ); $this->tokenProvider->invalidateOldTokens(); } @@ -261,21 +265,18 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = null; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); $this->mapper - ->expects($this->at(0)) + ->expects($this->once()) ->method('getToken') ->with(hash('sha512', 'oldId' . '1f4h9s')) ->willReturn($oldToken); $this->mapper - ->expects($this->at(1)) + ->expects($this->once()) ->method('insert') ->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) { return $token->getUID() === $uid && @@ -286,7 +287,7 @@ class PublicKeyTokenProviderTest extends TestCase { $token->getPassword() === null; })); $this->mapper - ->expects($this->at(2)) + ->expects($this->once()) ->method('delete') ->with($this->callback(function ($token) use ($oldToken) { return $token === $oldToken; @@ -300,21 +301,18 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'password'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); $this->mapper - ->expects($this->at(0)) + ->expects($this->once()) ->method('getToken') ->with(hash('sha512', 'oldId' . '1f4h9s')) ->willReturn($oldToken); $this->mapper - ->expects($this->at(1)) + ->expects($this->once()) ->method('insert') ->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) { return $token->getUID() === $uid && @@ -326,7 +324,7 @@ class PublicKeyTokenProviderTest extends TestCase { $this->tokenProvider->getPassword($token, 'newId') === 'password'; })); $this->mapper - ->expects($this->at(2)) + ->expects($this->once()) ->method('delete') ->with($this->callback(function ($token) use ($oldToken) { return $token === $oldToken; @@ -370,10 +368,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'passme'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); @@ -438,10 +433,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = 'password'; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); @@ -456,10 +448,7 @@ class PublicKeyTokenProviderTest extends TestCase { $uid = 'user'; $user = 'User'; $password = null; - $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' - . 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; + $name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; $type = IToken::PERMANENT_TOKEN; $actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); diff --git a/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php b/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php index fc921b8016b..ae6fadc790c 100644 --- a/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php +++ b/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php @@ -376,13 +376,13 @@ class ManagerTest extends TestCase { ->method('get') ->with('two_factor_remember_login') ->willReturn(false); - $this->session->expects($this->at(1)) + $this->session->expects($this->exactly(2)) ->method('remove') - ->with('two_factor_auth_uid'); - $this->session->expects($this->at(2)) - ->method('remove') - ->with('two_factor_remember_login'); - $this->session->expects($this->at(3)) + ->withConsecutive( + ['two_factor_auth_uid'], + ['two_factor_remember_login'] + ); + $this->session->expects($this->once()) ->method('set') ->with(Manager::SESSION_UID_DONE, 'jos'); $this->session->method('getId') @@ -494,17 +494,13 @@ class ManagerTest extends TestCase { public function testNeedsSecondFactor() { $user = $this->createMock(IUser::class); - $this->session->expects($this->at(0)) - ->method('exists') - ->with('app_password') - ->willReturn(false); - $this->session->expects($this->at(1)) + $this->session->expects($this->exactly(3)) ->method('exists') - ->with('two_factor_auth_uid') - ->willReturn(false); - $this->session->expects($this->at(2)) - ->method('exists') - ->with(Manager::SESSION_UID_DONE) + ->withConsecutive( + ['app_password'], + ['two_factor_auth_uid'], + [Manager::SESSION_UID_DONE], + ) ->willReturn(false); $this->session->method('getId') @@ -575,12 +571,12 @@ class ManagerTest extends TestCase { $this->user->method('getUID') ->willReturn('ferdinand'); - $this->session->expects($this->at(0)) - ->method('set') - ->with('two_factor_auth_uid', 'ferdinand'); - $this->session->expects($this->at(1)) + $this->session->expects($this->exactly(2)) ->method('set') - ->with('two_factor_remember_login', true); + ->withConsecutive( + ['two_factor_auth_uid', 'ferdinand'], + ['two_factor_remember_login', true] + ); $this->session->method('getId') ->willReturn('mysessionid'); @@ -605,12 +601,12 @@ class ManagerTest extends TestCase { $this->user->method('getUID') ->willReturn('ferdinand'); - $this->session->expects($this->at(0)) - ->method('set') - ->with('two_factor_auth_uid', 'ferdinand'); - $this->session->expects($this->at(1)) + $this->session->expects($this->exactly(2)) ->method('set') - ->with('two_factor_remember_login', false); + ->withConsecutive( + ['two_factor_auth_uid', 'ferdinand'], + ['two_factor_remember_login', false] + ); $this->session->method('getId') ->willReturn('mysessionid'); |