Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add nonce validation to SessionService #766

Merged
merged 9 commits into from
May 10, 2022
Merged

Add nonce validation to SessionService #766

merged 9 commits into from
May 10, 2022

Conversation

rob-3
Copy link
Contributor

@rob-3 rob-3 commented Feb 7, 2022
edited
Loading

@bagofarms I would appreciate if you could review this as it is a security matter and I want to make sure it is correct. I'm still planning to update the code to return a non 500 error message but the security stuff should be done.

Edit: something seems to be broken already; let me investigate
Edit: ready to merge whenever this can be reviewed

@rob-3 rob-3 added this to the 3.3.0 milestone Feb 7, 2022
@rob-3 rob-3 self-assigned this Feb 7, 2022
@rob-3 rob-3 requested a review from bagofarms February 7, 2022 17:00
@rob-3 rob-3 changed the base branch from dev/v3-2-0 to dev/v3-3-0 February 8, 2022 19:50
@rob-3 rob-3 linked an issue Feb 9, 2022 that may be closed by this pull request
Implement a proper nonce #728
Closed
@rob-3 rob-3 marked this pull request as ready for review February 9, 2022 15:21
@rob-3
Copy link
Contributor Author

rob-3 commented Feb 15, 2022
edited
Loading

Taking a look at this again, I'm wondering if it makes more sense to just integrate this into the SessionService. I could just move the methods and then we wouldn't need a separate service. What do you think @bagofarms?

@bagofarms
Copy link
Member

@rob-3 If it's only ever used in relation to a session, I think it would make more sense integrated into the SessionService.

@rob-3
Move NonceService functionality to SessionService
07a11ea 
Fixes ucfopen#728.

This implements nonce functionality to prevent replay attacks on UDOIT.
I've never implemented nonce functionality before, so the below code
may contain security issues I'm ignorant of, but I gave it my best shot
based on what I could find online. Essentially, by sending the random
nonce back and forth, we can prevent an attacker from resending an
encrypted POST request with potentially bad consequences, because the
nonce can only be used once.
@rob-3 rob-3 requested a review from bagofarms February 16, 2022 13:42
@rob-3 rob-3 changed the title Add NonceService to validate nonces Add nonce validation to SessionService Feb 24, 2022
@SimonRothUCF SimonRothUCF merged commit 5f6e1bb into ucfopen:dev/v3-3-0 May 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bagofarms bagofarms Awaiting requested review from bagofarms

@SimonRothUCF SimonRothUCF Awaiting requested review from SimonRothUCF

Assignees

@rob-3 rob-3

Labels
None yet
Projects
None yet
Milestone
3.3.0
Development

Successfully merging this pull request may close these issues.

Implement a proper nonce
3 participants
@rob-3 @bagofarms @SimonRothUCF