Security: Attempt to block auth of nil tokens, etc.

Some Rails authentication systems have suffered from a vulnerability involving nil or blank login tokens: http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ This patch includes a bunch of test cases testing for possible attacks along these lines, and some sanity-checking code in our authentication methods. Note that the tests and the code don't really "line up" here--most of the test methods passed already, and most of the sanity-checking code is probably unnecessary. But again, better safe than sorry.
emk · Dec 20, 2008 · 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 · 64eff7f
1 parent c500bf8
commit 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3
Unified Split

Showing with 47 additions and 0 deletions.

+2 −0 app/models/user.rb

+45 −0 spec/models/user_spec.rb
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -32,6 +32,7 @@ def self.find_admins(*args)
  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
  def self.authenticate_for(site, login, password)
+  
+    return nil if site.nil? || login.nil? || login.blank? || password.nil? || password.blank?
    u = find(:first, @@membership_options.merge(
      :conditions => ['users.login = ? and (memberships.site_id = ? or users.admin = ?)', login, site.id, true]))
    u && u.authenticated?(password) ? u : nil
@@ -55,6 +56,7 @@ def self.find_all_by_site_with_deleted(site, options = {})
  end
  def self.find_by_token(site, token)
+  
+    return nil if site.nil? || token.nil? || token.blank?
    find(:first, @@membership_options.merge(:conditions => ['token = ? and token_expires_at > ? and (memberships.site_id = ? or users.admin = ?)', token, Time.now.utc, site.id, true]))
  end

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -0,0 +1,45 @@
+  
+require File.dirname(__FILE__) + '/../spec_helper'
+  
+
+  
+describe User do
+  
+  before :each do
+  
+    @site = Site.make
+  
+  end
+  
+
+  
+  def make_admin_with_token token
+  
+    user = User.make(:token_expires_at => 1.day.from_now, :admin => true)
+  
+    user.token = token # May be nil, so we can't pass to User.make.
+  
+    user.save!
+  
+  end
+  
+
+  
+  it "should not find users with nil token" do
+  
+    # This test always passed, before we did anything specific to fix it.
+  
+    make_admin_with_token nil
+  
+    User.find_by_token(@site, nil).should be_nil
+  
+  end
+  
+
+  
+  it "should not find users with empty token" do
+  
+    make_admin_with_token ''
+  
+    User.find_by_token(@site, '').should be_nil
+  
+  end
+  
+
+  
+  def make_admin_with_login_and_password login, password
+  
+    User.make(:login => login, :password => password, :admin => true)
+  
+  end
+  
+
+  
+  it "should not find users with empty login" do
+  
+    begin
+  
+      make_admin_with_login_and_password '', 'foo'
+  
+      User.authenticate_for(@site, '', 'foo').should be_nil
+  
+    rescue ActiveRecord::RecordInvalid # This is OK, too.
+  
+    end
+  
+  end
+  
+
+  
+  it "should not find users with empty password" do
+  
+    begin
+  
+      make_admin_with_login_and_password 'joe', ''
+  
+      User.authenticate_for(@site, 'joe', '').should be_nil
+  
+    rescue ActiveRecord::RecordInvalid # This is OK, too.
+  
+    end
+  
+  end
+  
+end
+  
+