Security: Attempt to block auth of nil tokens, etc.

emk · emk · commit 64eff7f46ab8 · 2008-12-20T10:43:45.000-05:00
Some Rails authentication systems have suffered from a vulnerability involving nil or blank login tokens: http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ This patch includes a bunch of test cases testing for possible attacks along these lines, and some sanity-checking code in our authentication methods. Note that the tests and the code don't really "line up" here--most of the test methods passed already, and most of the sanity-checking code is probably unnecessary. But again, better safe than sorry.
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -32,6 +32,7 @@ def self.find_admins(*args)
 
   # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
   def self.authenticate_for(site, login, password)
+    return nil if site.nil? || login.nil? || login.blank? || password.nil? || password.blank?
     u = find(:first, @@membership_options.merge(
       :conditions => ['users.login = ? and (memberships.site_id = ? or users.admin = ?)', login, site.id, true]))
     u && u.authenticated?(password) ? u : nil
@@ -55,6 +56,7 @@ def self.find_all_by_site_with_deleted(site, options = {})
   end
 
   def self.find_by_token(site, token)
+    return nil if site.nil? || token.nil? || token.blank?
     find(:first, @@membership_options.merge(:conditions => ['token = ? and token_expires_at > ? and (memberships.site_id = ? or users.admin = ?)', token, Time.now.utc, site.id, true]))
   end
   
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -0,0 +1,45 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+ 
+describe User do
+  before :each do
+    @site = Site.make
+  end
+
+  def make_admin_with_token token
+    user = User.make(:token_expires_at => 1.day.from_now, :admin => true)
+    user.token = token # May be nil, so we can't pass to User.make.
+    user.save!
+  end
+
+  it "should not find users with nil token" do
+    # This test always passed, before we did anything specific to fix it.
+    make_admin_with_token nil
+    User.find_by_token(@site, nil).should be_nil
+  end
+
+  it "should not find users with empty token" do
+    make_admin_with_token ''
+    User.find_by_token(@site, '').should be_nil
+  end
+
+  def make_admin_with_login_and_password login, password
+    User.make(:login => login, :password => password, :admin => true)
+  end
+
+  it "should not find users with empty login" do
+    begin
+      make_admin_with_login_and_password '', 'foo'
+      User.authenticate_for(@site, '', 'foo').should be_nil
+    rescue ActiveRecord::RecordInvalid # This is OK, too.
+    end
+  end
+
+  it "should not find users with empty password" do
+    begin
+      make_admin_with_login_and_password 'joe', ''
+      User.authenticate_for(@site, 'joe', '').should be_nil
+    rescue ActiveRecord::RecordInvalid # This is OK, too.
+    end
+  end
+end
+
