Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only check access tokens if they are likely to be tokens #16164

Merged
merged 2 commits into from
Jun 15, 2021
Merged

Only check access tokens if they are likely to be tokens #16164

merged 2 commits into from
Jun 15, 2021

Conversation

zeripath
Copy link
Contributor

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Only check access tokens if they are likely to be tokens
413e842 
Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added this to the 1.15.0 milestone Jun 15, 2021
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jun 15, 2021
zeripath
zeripath commented Jun 15, 2021
View reviewed changes
models/token.go Outdated Show resolved Hide resolved
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 15, 2021
@6543 6543 merged commit b8e4ce7 into go-gitea:main Jun 15, 2021
@zeripath zeripath deleted the no-token-check-if-not-likely-to-be-token branch June 15, 2021 22:40
zeripath added a commit to zeripath/gitea that referenced this pull request Jun 16, 2021
@zeripath
Only check access tokens if they are likely to be tokens (go-gitea#16164
7d9cbf2 
)

Backprt go-gitea#16164

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Jun 16, 2021
Merged
@zeripath zeripath added the backport/done All backports for this PR have been created label Jun 16, 2021
techknowlogick pushed a commit that referenced this pull request Jun 16, 2021
@zeripath
Only check access tokens if they are likely to be tokens (#16164) (#1…
946eb13 
…6171)

Backprt #16164

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jun 18, 2021
@zeripath
Copy link
Contributor Author

Marked as security because previously this would result in sending the last 8 characters of passwords to the dbs which with LOG_SQL=true means that they end up in logs.

I think it's probably an acceptable balance that the lack of the appearance of a DB query leaks that the (provided) password is not a 40 character hexadecimal string, and that in the case of a 40 character hexadecimal password the last 8 characters may appear in the sql logs - we can do some other techniques in a future PR. (For example if a username is provided just get all the tokens for that user - if not leaking the last 8 characters is less of a problem.)

@zeripath zeripath added performance/speed performance issues with slow downs and removed performance/speed performance issues with slow downs labels Jul 25, 2021
@zeripath zeripath mentioned this pull request Jul 25, 2021
Closed
4 tasks
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this pull request Aug 10, 2021
@zeripath @AbdulrhmnGhanem
Only check access tokens if they are likely to be tokens (go-gitea#16164
5b9187d 
)

* Only check access tokens if they are likely to be tokens

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@KN4CK3R KN4CK3R KN4CK3R approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@zeripath @techknowlogick @KN4CK3R @GiteaBot @6543