From 89d3a2552a0c118d2c41a9fb3d3da8f16f696ceb Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 13 Aug 2020 03:48:21 -0600 Subject: [PATCH] fix nil pointer and timing vulnerability --- cmd/mgmt/route.go | 6 ++++++ mgmt/authstore/authstore_test.go | 7 ++++--- mgmt/authstore/postgresql.go | 10 ++++++++-- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/cmd/mgmt/route.go b/cmd/mgmt/route.go index af8836d..b2e332a 100644 --- a/cmd/mgmt/route.go +++ b/cmd/mgmt/route.go @@ -162,6 +162,12 @@ func routeAll() chi.Router { r.Post("/{otp}", func(w http.ResponseWriter, r *http.Request) { sharedKey := chi.URLParam(r, "otp") original, err := store.Get(sharedKey) + if nil != err { + msg := `{"error":"not found"}` + log.Printf("/api/register-device/\n") + log.Println(err) + http.Error(w, msg, http.StatusNotFound) + } if "" != original.MachinePPID { msg := `{"error":"the presented key has already been used"}` log.Printf("/api/register-device/\n") diff --git a/mgmt/authstore/authstore_test.go b/mgmt/authstore/authstore_test.go index feea592..b5b4dcb 100644 --- a/mgmt/authstore/authstore_test.go +++ b/mgmt/authstore/authstore_test.go @@ -27,10 +27,11 @@ func TestStore(t *testing.T) { num := "8" slug := num + "-xxx-client" - pubkey := num + "-somehash" + secret := "3-xxxx-zzzz-yyyy" + pubkey := ToPublicKeyString(secret) auth1 := &Authorization{ Slug: slug, - SharedKey: "3-xxxx-zzzz-yyyy", + SharedKey: secret, PublicKey: pubkey, } err = store.Add(auth1) @@ -64,7 +65,7 @@ func TestStore(t *testing.T) { return } - auth, err := store.Get(slug) + auth, err = store.Get(slug) if nil == err { t.Fatal("should get nothing back") return diff --git a/mgmt/authstore/postgresql.go b/mgmt/authstore/postgresql.go index 4f54877..57b9912 100644 --- a/mgmt/authstore/postgresql.go +++ b/mgmt/authstore/postgresql.go @@ -203,9 +203,15 @@ func (s *PGStore) Get(id string) (*Authorization, error) { query := ` SELECT * FROM authorizations WHERE deleted_at = '1970-01-01 00:00:00' - AND (slug = $1 OR public_key = $1 OR shared_key = $1) + AND (slug = $1 OR public_key = $1 OR public_key = $2) ` - row := s.dbx.QueryRowxContext(ctx, query, id) + // if the id is actually the secret, we want the public form + // (we do this to protect against a timing attack) + pubby := ToPublicKeyString(id) + if len(id) > 24 { + id = id[:24] + } + row := s.dbx.QueryRowxContext(ctx, query, id, pubby) if nil != row { auth := &Authorization{} if err := row.StructScan(auth); nil != err {