Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Network errors during pwnedpasswords.com check causing recursive loop #589

Merged
merged 3 commits into from Jul 27, 2020
Merged

fix: Network errors during pwnedpasswords.com check causing recursive loop #589

merged 3 commits into from Jul 27, 2020

Conversation

jakhog
Copy link
Contributor

@jakhog jakhog commented Jul 18, 2020

Related issue

On network errors, the password validator ends up in a recursion loop until either the fault disappears - or more likely the stack overflows. Related to #316, @aeneasr .

Proposed changes

Change the validator code so that when ignoreNetworkErrors = true, a failure during the pwnedpasswords.com check returns no error, but the validation of the same password later would retry the online check.

Added test cases that previously crashed or timed out the test suite (because of the loop), but they pass now. I also took the liberty to add a few more tests for the online password leak check.

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

I implemented a FakeHTTPClient to use for these tests and feel like it should really live somewhere else to potentially be reused, but I couldn't find a good home for it. The internal/testhelpers package doesn't work as it causes an import cycle, any suggestions?

This is also the first Go test I've written, so happy with any feedback if something is not perfect 馃檪

@jakhog
Add tests for pwnedpasswords.com checks
696d57b
@jakhog
Fix infinte loop in validator on network errors.
eb27175 
The old code no error when ignoreNetworkErrors was set to true, but did
not set a hash result which caused an infinite loop.
This fixes #316.
@jakhog jakhog changed the title Offline password check fix fix: Network errors during pwnedpasswords.com check causing recursive loop Jul 18, 2020
@jakhog jakhog mentioned this pull request Jul 18, 2020
Closed
aeneasr
aeneasr reviewed Jul 20, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job!

selfservice/strategy/password/validator.go Outdated
if s.ignoreNetworkErrors {
return nil
}
return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to check if password has been breached before: %s", err))
return s.ignoreNetworkErrors, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to check if password has been breached before: %s", err))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Typically you would use the error as a value in "idiomatic" Go to avoid the mix of two return types. While the correctness of the code is obvious, it's just more "Go-style" to write it like this:

var ErrNetworkFailure = errors.new("unexpected network error")

// func () fetch() error {
// ...
if err != nil {
  s.log().WithError(err).Errorf("Unable to check if password has been breached before")
  return ErrNetworkFailure
}
// ...

selfservice/strategy/password/validator.go Outdated
Comment on lines 169 to 172
if shouldIgnore, err := s.fetch(hpw); err != nil {
if shouldIgnore {
return nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And then you do this:

Suggested change
if shouldIgnore, err := s.fetch(hpw); err != nil {
if shouldIgnore {
return nil
}
if err := s.fetch(hpw); errors.Is(err, ErrNetworkFailure) {
return nil
} else if err != nil {
return err
}

@aeneasr aeneasr merged commit b4d5a42 into ory:master Jul 27, 2020
@jakhog jakhog deleted the offline-password-check-fix branch August 10, 2020 08:22
@jakhog
Copy link
Contributor Author

jakhog commented Aug 10, 2020

Thanks for the feedback! I was away on vacation so haven't seen this until now, but seems like you already fixed it so thank you 馃槃

@aeneasr
Copy link
Member

aeneasr commented Aug 10, 2020

No problem, I hope you had a good vacation and were able to regenerate :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jakhog @aeneasr