1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00

fix for possible injection with mongo

Signed-off-by: José Valim <jose.valim@gmail.com>
This commit is contained in:
gilles 2011-03-07 15:54:55 -08:00 committed by José Valim
parent 569d205ca7
commit 1982ad9f57
3 changed files with 61 additions and 3 deletions

View file

@ -100,6 +100,12 @@ module Devise
# end # end
# #
def find_for_authentication(conditions) def find_for_authentication(conditions)
#the to_s is here to avoid mongodb injection where 'field => value' becomes 'field => {$ne => value}' thourgh the magic of rails
#still this does not prevent the leak if user1.token == '$ne' + user2.token (the chance of that is poor though)
#this might not be the best place or the best method, please change
conditions.each do |k, v|
conditions[k] = v.to_s
end
case_insensitive_keys.each { |k| conditions[k].try(:downcase!) } case_insensitive_keys.each { |k| conditions[k].try(:downcase!) }
to_adapter.find_first(conditions) to_adapter.find_first(conditions)
end end

View file

@ -89,6 +89,18 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
end end
end end
test 'should not be subject to injection' do
swap Devise, :token_authentication_key => :secret_token do
user1 = create_user_with_authentication_token()
user2 = create_another_user_with_authentication_token(:auth_token => "ANOTHERTOKEN")
visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
assert warden.user(:user) == nil
end
end
private private
def sign_in_as_new_user_with_token(options = {}) def sign_in_as_new_user_with_token(options = {})
@ -107,14 +119,32 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
user user
end end
def create_user_with_authentication_token(options) def create_user_with_authentication_token(options = {})
user = create_user(options) user = create_user(options)
user.authentication_token = VALID_AUTHENTICATION_TOKEN user.authentication_token = options[:auth_token] || VALID_AUTHENTICATION_TOKEN
user.save user.save
user user
end end
def create_another_user_with_authentication_token(options = {})
@anotheruser ||= begin
user = User.create!(
:username => 'anotherusertest',
:email => options[:email] || 'anotheruser@test.com',
:password => options[:password] || '123456',
:password_confirmation => options[:password] || '123456',
:created_at => Time.now.utc
)
user.confirm! unless options[:confirm] == false
user.lock_access! if options[:locked] == true
user.authentication_token = options[:auth_token] || VALID_AUTHENTICATION_TOKEN
user.save
user
end
end
def get_users_path_as_existing_user(user) def get_users_path_as_existing_user(user)
sign_in_as_new_user_with_token(:user => user) sign_in_as_new_user_with_token(:user => user)
end end
end end

View file

@ -28,7 +28,7 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
test 'should return nil when authenticating an invalid user by authentication token' do test 'should return nil when authenticating an invalid user by authentication token' do
if DEVISE_ORM == :mongoid if DEVISE_ORM == :mongoid
raise 'There is an incompatibility between Devise and Mongoid' << raise 'There is an incompatibility between Devise and Mongoid' <<
' that makes this test break. For more information, check' << ' that makes this test break. For more information, check' <<
' this issue: https://github.com/mongoid/mongoid/issues/725' ' this issue: https://github.com/mongoid/mongoid/issues/725'
end end
@ -40,4 +40,26 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
assert_nil authenticated_user assert_nil authenticated_user
end end
test 'should not be subject to injection' do
if DEVISE_ORM != :mongoid
assert_nil(nil)
else
user1 = create_user
user1.ensure_authentication_token!
user1.confirm!
user2 = create_user
user2.ensure_authentication_token!
user2.confirm!
#now trick it
user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
assert_nil user
end
end
end end