Skip to content

Commit

Permalink
minor #42302 [Security] Remove time-sensitivity from `LoginLinkHandle…
Browse files Browse the repository at this point in the history 
…rTest` (herndlm)

This PR was merged into the 5.3 branch.

Discussion
----------

[Security] Remove time-sensitivity from `LoginLinkHandlerTest`

| Q             | A
| ------------- | ---
| Branch?       | 5.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #41338
| License       | MIT
| Doc PR        | n/a

Removes time-sensitivity from `LoginLinkHandlerTest::testCreateLoginLink` by additionally comparing the provided expiration time with the current time by using an allowed drift/leeway. Previously only the provided hash was compared by using the current time as basis which was prone to missmatches. Now it uses the provided expiration time as basis instead.

Fixes the problem where the test code is assuming that calling `time()` twice (once in the link generation and once in the test expectation) will return the same value where in realityit might return 5 for the first and 6 for the second call only a split second later.

Commits
-------

75addf1 Remove time-sensitivity from LoginLinkHandlerTest
  • Loading branch information
@chalasr
chalasr committed Aug 2, 2021
2 parents 59ed190 + 75addf1 commit e617a9b
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/Symfony/Component/Security/Http/Tests/LoginLink/LoginLinkHandlerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ protected function setUp(): void

/**
* @dataProvider provideCreateLoginLinkData
* @group time-sensitive
*/
public function testCreateLoginLink($user, array $extraProperties, Request $request = null)
{
Expand All @@ -65,8 +64,10 @@ public function testCreateLoginLink($user, array $extraProperties, Request $requ
return 'weaverryan' == $parameters['user']
&& isset($parameters['expires'])
&& isset($parameters['hash'])
// allow a small expiration offset to avoid time-sensitivity
&& abs(time() + 600 - $parameters['expires']) <= 1
// make sure hash is what we expect
&& $parameters['hash'] === $this->createSignatureHash('weaverryan', time() + 600, array_values($extraProperties));
&& $parameters['hash'] === $this->createSignatureHash('weaverryan', $parameters['expires'], array_values($extraProperties));
}),
UrlGeneratorInterface::ABSOLUTE_URL
)
Expand Down

0 comments on commit e617a9b

Please sign in to comment.