fix actual security problems #407

timing attacks on HTTP signature and backup codes for 2fa
This commit is contained in:
dakkar 2024-02-09 13:42:19 +00:00
parent 7cf570565e
commit 02c97f7985
2 changed files with 5 additions and 2 deletions

View file

@ -11,6 +11,7 @@ import type { MiUserProfile, UserProfilesRepository, UsersRepository } from '@/m
import { bindThis } from '@/decorators.js'; import { bindThis } from '@/decorators.js';
import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js'; import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js';
import type { MiLocalUser } from '@/models/User.js'; import type { MiLocalUser } from '@/models/User.js';
import * as crypto from 'node:crypto';
@Injectable() @Injectable()
export class UserAuthService { export class UserAuthService {
@ -27,7 +28,9 @@ export class UserAuthService {
public async twoFactorAuthenticate(profile: MiUserProfile, token: string): Promise<void> { public async twoFactorAuthenticate(profile: MiUserProfile, token: string): Promise<void> {
if (profile.twoFactorBackupSecret?.includes(token)) { if (profile.twoFactorBackupSecret?.includes(token)) {
await this.userProfilesRepository.update({ userId: profile.userId }, { await this.userProfilesRepository.update({ userId: profile.userId }, {
twoFactorBackupSecret: profile.twoFactorBackupSecret.filter((secret) => secret !== token), twoFactorBackupSecret: profile.twoFactorBackupSecret.filter(
(secret) => !crypto.timingSafeEqual(secret, token)
),
}); });
} else { } else {
const delta = OTPAuth.TOTP.validate({ const delta = OTPAuth.TOTP.validate({

View file

@ -287,7 +287,7 @@ export class ActivityPubServerService {
const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64'); const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
if (hash !== digestValue) { if (! crypto.timingSafeEqual(hash, digestValue)) {
// Invalid digest // Invalid digest
reply.code(401); reply.code(401);
return; return;