Fix/captcha repeater vulnerability #427
Conversation
There was a problem hiding this comment.
@ivanmrsulja thanks for this contribution. Please check one my comment.
home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Thanks for the PR!
Please take a look at some comments I did and translation suggestions.
I tested self hosted captcha. It works well.
Recaptcha V2 works.
Recaptcha V3 doesn't work (image below)
I didn't found any notes on what Recaptcha version should be supported.
I think it should be documented or V3 fixed if that was expected to be working.
api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/CaptchaServiceBean.java
Outdated
Show resolved
Hide resolved
.../main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ContactFormController.java
Outdated
Show resolved
Hide resolved
.../main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ContactFormController.java
Outdated
Show resolved
Hide resolved
.../main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ContactMailController.java
Outdated
Show resolved
Hide resolved
.../main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ContactMailController.java
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
.../main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ContactMailController.java
Outdated
Show resolved
Hide resolved
api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/CaptchaServiceBean.java
Outdated
Show resolved
Hide resolved
Yes, in the requirements, it was stated that there should be an "I'm not a robot field" which is reCAPTCHA v2 implementation. V3 runs in the background and it is a pure JS API that returns a score (based on number and speed of the interactions with the webpage). That score is the indicator whether additional measures should be taken for each interaction, it is a supplementary library. I did not plan to encorporate this functionality but it is open for discussion on the next meeting. |
…e/vitro_UiLabel.ttl Co-authored-by: Benjamin Kampe <benjamin@fehrmanns.net>
…e/vitro_UiLabel.ttl Co-authored-by: salmjunior <104263384+salmjunior@users.noreply.github.com>
…e/vitro_UiLabel.ttl Co-authored-by: salmjunior <104263384+salmjunior@users.noreply.github.com>
…here unnecessary.
…e/vitro_UiLabel.ttl Co-authored-by: Georgy Litvinov <git@litvinovg.pro>
…e/vitro_UiLabel.ttl Co-authored-by: Georgy Litvinov <git@litvinovg.pro>
…e/vitro_UiLabel.ttl Co-authored-by: Georgy Litvinov <git@litvinovg.pro>
…e/vitro_UiLabel.ttl Co-authored-by: Georgy Litvinov <git@litvinovg.pro>
ivanmrsulja
force-pushed
the
fix/captcha-repeater-vulnerability
branch
from
62fffeb
to
c195f60
Compare
There was a problem hiding this comment.
Please update comment in example.runtime.properties to mention that only re-captcha v2 keys are supported in this PR and VIVO PR as was discussed at the meeting on Tuesday.
I suggest to convert string values of captcha.implementation in Java code to static fields.
Also, the name for self hosted captcha can be better I think.
Maybe we could use implementation name, like nanocaptcha in case somebody in future decides to add another self hosted captcha implementation. Not sure it should be in upper case, lower case looks better to me.
@chenejac What is your opinion?
There was a problem hiding this comment.
@ivanmrsulja I have added a comment which reflects committers' meeting discussion. Please, take a look.
api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/CaptchaServiceBean.java
Outdated
Show resolved
Hide resolved
api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/CaptchaServiceBean.java
Outdated
Show resolved
Hide resolved
webapp/src/main/webapp/templates/freemarker/body/contactForm/contactForm-form.ftl
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl
Outdated
Show resolved
Hide resolved
| captchaImplSetting = "NANOCAPTCHA"; | ||
| } | ||
|
|
||
| return CaptchaImplementation.valueOf(captchaImplSetting.toUpperCase()); |
There was a problem hiding this comment.
Maybe it is better to test if implementation in property file is one of supported values first, then for all other cases: missing implemenation value, misspelled value; return NANOCAPTCHA?
Otherwise it should throw IllegalArgumentException if value is misspelled which should result in broken contact form I guess.
There was a problem hiding this comment.
You are right about misspelled values, but I think that it is more intuitive to firstly check all error logic as guard cases and then have the desired logic after that, looks more readable to me. I will refactor the code to support misspelled values and to address a suggestion below, and after that, if you still think this is unintuitive I can change it as well 😄
There was a problem hiding this comment.
This is improved to fall back to NANOCAPTCHA impl when misspelled configurations are provided.
| switch (captchaImpl) { | ||
| case RECAPTCHAV2: | ||
| if (CaptchaServiceBean.validateReCaptcha(captchaInput)) { | ||
| return true; | ||
| } | ||
| break; | ||
| case NANOCAPTCHA: | ||
| Optional<CaptchaBundle> optionalChallenge = CaptchaServiceBean.getChallenge(challengeId); | ||
| if (optionalChallenge.isPresent() && optionalChallenge.get().getCode().equals(captchaInput)) { | ||
| return true; | ||
| } | ||
| break; | ||
| case NONE: | ||
| return true; | ||
| } |
There was a problem hiding this comment.
What if another captcha implementation is added?
Should there be a class for each captcha implementation?
Now class responsibilities seem a little bit mixed.
There was a problem hiding this comment.
I can make a provider class for each implementation
There was a problem hiding this comment.
I have refactored code and made providers for each implementation. ServiceBean only delegates requests to providers and is responsible for challenge persistence (in-memory).
Co-authored-by: Georgy Litvinov <git@litvinovg.pro>
VIVO GitHub issue: Mitigate vulnerability of Captcha feature
VIVO PR
What does this pull request do?
This PR mitigates vulnerability of captcha feature by introducing new methods of challenge generation: nanocaptcha and Google reCAPTCHA.
What's new?
A CaptrchaServiceBean is created which can both provide and validate text-based challenges as well as provide validation services for Google reCaptcha through Google API. I also included a configuration for which captcha method is used so you can use both methods interchangeably (just change configuration options).
How should this be tested?
Unit tests for CaptchaServiceBean are created. If you want to test manually, simply run the application and follow instructions on how to configure each captcha method (instructions are available in example.runtime.properties file).
Captcha is currently only used on
/contactpage. Keep in mind that you have to setup SMTP properties as well as default contact email for feedback form to be accessible.Interested parties
@litvinovg @chenejac @brianjlowe