Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better handle basic authentication without a password #44610

Merged
merged 1 commit into from Mar 4, 2022
Merged

Better handle basic authentication without a password #44610

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 14 additions & 0 deletions actionpack/CHANGELOG.md
View file
Open in desktop
@@ -1,3 +1,17 @@
* Fix `authenticate_with_http_basic` to allow for missing password.

Before Rails 7.0 it was possible to handle basic authentication with only a username.

```ruby
authenticate_with_http_basic do |token, _|
ApiClient.authenticate(token)
end
```

This ability is restored.

*Jean Boussier*

* Fix `content_security_policy` returning invalid directives.

Directives such as `self`, `unsafe-eval` and few others were not
Expand Down
8 changes: 5 additions & 3 deletions actionpack/lib/action_controller/metal/http_authentication.rb
View file
Open in desktop
Expand Up @@ -74,6 +74,8 @@ module ClassMethods
#
# See ActionController::HttpAuthentication::Basic for example usage.
def http_basic_authenticate_with(name:, password:, realm: nil, **options)
raise ArgumentError, "Expected name: to be a String, got #{name.class}" unless name.is_a?(String)
raise ArgumentError, "Expected password: to be a String, got #{password.class}" unless name.is_a?(String)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is supposed to be unless password.is_a?(String)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦 yes you are right. I'll fix directly in main. Thanks!

before_action(options) { http_basic_authenticate_or_request_with name: name, password: password, realm: realm }
end
end
Expand All @@ -82,8 +84,8 @@ def http_basic_authenticate_or_request_with(name:, password:, realm: nil, messag
authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
# This comparison uses & so that it doesn't short circuit and
# uses `secure_compare` so that length information isn't leaked.
ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
ActiveSupport::SecurityUtils.secure_compare(given_password, password)
ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name) &
Copy link
Member

@p8 p8 Mar 4, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason name.to_s isn't called here instead?
Just wondering :)

Suggested change
ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name) &
ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name.to_s) &

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit handwavy, but the idea was to cast to string once and for all at boot, so that if somehow you passed something that acts as a string but isn't, we don't open a timing attack (because presumably to_s would take longer, the longer the password is).

But again it wasn't to prevent a specific scenario, just to be extra careful. Anyway I refactored the PR, so this to_s is no more.

ActiveSupport::SecurityUtils.secure_compare(given_password.to_s, password)
end
end

Expand All @@ -107,7 +109,7 @@ def authenticate(request, &login_procedure)
end

def has_basic_credentials?(request)
request.authorization.present? && (auth_scheme(request).downcase == "basic") && user_name_and_password(request).length == 2
request.authorization.present? && (auth_scheme(request).downcase == "basic")
end

def user_name_and_password(request)
Expand Down
27 changes: 22 additions & 5 deletions actionpack/test/controller/http_basic_authentication_test.rb
View file
Open in desktop
Expand Up @@ -31,6 +31,13 @@ def search
render plain: "All inline"
end

def no_password
username, password = authenticate_with_http_basic do |username, password|
[username, password]
end
render plain: "Hello #{username} (password: #{password.inspect})"
end

private
def authenticate
authenticate_or_request_with_http_basic do |username, password|
Expand Down Expand Up @@ -112,11 +119,6 @@ def test_encode_credentials_has_no_newline
assert_no_match(/\n/, result)
end

test "has_basic_credentials? should fail with credentials without colon" do
@request.env["HTTP_AUTHORIZATION"] = "Basic #{::Base64.encode64("David Goliath")}"
assert_not ActionController::HttpAuthentication::Basic.has_basic_credentials?(@request)
end

test "successful authentication with uppercase authorization scheme" do
@request.env["HTTP_AUTHORIZATION"] = "BASIC #{::Base64.encode64("lifo:world")}"
get :index
Expand All @@ -142,6 +144,21 @@ def test_encode_credentials_has_no_newline
assert_equal 'Basic realm="SuperSecret"', @response.headers["WWW-Authenticate"]
end

test "authentication request with a missing password" do
@request.env["HTTP_AUTHORIZATION"] = "Basic #{::Base64.encode64("David")}"
get :search

assert_response :unauthorized
end

test "authentication request with no required password" do
@request.env["HTTP_AUTHORIZATION"] = "Basic #{::Base64.encode64("George")}"
get :no_password

assert_response :success
assert_equal "Hello George (password: nil)", @response.body
end

test "authentication request with valid credential" do
@request.env["HTTP_AUTHORIZATION"] = encode_credentials("pretty", "please")
get :display
Expand Down