Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: open session replay attack #240

Merged
merged 6 commits into from
Dec 26, 2022
Merged

fix: open session replay attack #240

merged 6 commits into from
Dec 26, 2022

Conversation

jingchen2222
Copy link
Collaborator

@jingchen2222 jingchen2222 commented Dec 19, 2022
edited

In this pr, we proposed a method reduce the possibility of open session replay attack

  1. Open session header should be unique in a node
  2. TTS for Open session
    Resolve QuerySession replay attack #239

Use random uuid string as token

@jingchen2222 jingchen2222 self-assigned this Dec 19, 2022
@codecov-commenter
Copy link

codecov-commenter commented Dec 19, 2022
edited

Codecov Report

Merging #240 (f9b5ce3) into main (2fdd454) will increase coverage by 1.49%.
The diff coverage is 95.33%.

@@            Coverage Diff             @@
##             main     #240      +/-   ##
==========================================
+ Coverage   53.34%   54.83%   +1.49%     
==========================================
  Files          41       41              
  Lines        3667     3797     +130     
==========================================
+ Hits         1956     2082     +126     
- Misses       1711     1715       +4
Flag Coverage Δ
rust 54.83% <95.33%> (+1.49%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/node/src/storage_node_impl.rs 0.58% <0.00%> (-0.01%) ⬇️
src/session/src/session_manager.rs 91.81% <98.57%> (+1.27%) ⬆️
src/sdk/src/store_sdk.rs 94.83% <98.66%> (+0.90%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@imotai
Copy link
Contributor

imotai commented Dec 25, 2022

I think we should have a time-to-live for the signature to avoid reusing the signature

@jingchen2222 jingchen2222 changed the title open session take use of random string as header fix: open session replay attack Dec 26, 2022
imotai
imotai approved these changes Dec 26, 2022
View reviewed changes
Copy link
Contributor

@imotai imotai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@imotai imotai merged commit 041fff8 into main Dec 26, 2022
@imotai imotai deleted the fix/replay_attack branch December 27, 2022 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiyangjun xiyangjun xiyangjun approved these changes

@imotai imotai imotai approved these changes

Assignees

@jingchen2222 jingchen2222

Labels
PR-size-medium
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

QuerySession replay attack
5 participants
@jingchen2222 @codecov-commenter @imotai @xiyangjun @db3fans