Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix for https://www.pivotaltracker.com/story/show/163470469 #2237
The bug report describes how the callback link from a session authenticated by a Bad Actor could be used in a phishing attack to have the victim upload their move data to another account. This fix adds checking on the original state nonce used to authenticate, to block the victims browser from using the Bad Actors session.
Adds code in
I struggled to find a good unit-test for this code. Both handlers are so intimately tied to login.gov that I couldn't see an easy way to test this. That said, I verified that it failed in the case where the callback gets a different state from the one passed to login.gov.
No particular setup. You should run client and server and confirm you can still log in. If you want to check that the code works as expected, look in dev tools for the callback URL passed in when returning from login.gov, e.g.
If you paste that unchanged into the browser you should see a normal session. If you edit the URL to change the state value passed back in you should see a server error and an ERROR in the log.
Code Review Verification Steps
changed the title
WIP Fix for https://www.pivotaltracker.com/story/show/163470469
Jun 10, 2019
@@ Coverage Diff @@ ## master #2237 +/- ## ========================================== - Coverage 59.26% 59.12% -0.14% ========================================== Files 255 255 Lines 14412 14445 +33 ========================================== Hits 8540 8540 - Misses 4858 4891 +33 Partials 1014 1014