Only check access tokens if they are likely to be tokens #16164
Merged
+7
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gitea will currently check every if every password is an access token even though most passwords are not and cannot be access tokens. By creation access tokens are 40 byte hexadecimal strings therefore only these should be checked. Signed-off-by: Andrew Thornton <[email protected]>
techknowlogick
approved these changes
Jun 15, 2021
GiteaBot
added
the
lgtm/need 1
zeripath
commented
Jun 15, 2021
KN4CK3R
approved these changes
Jun 15, 2021
GiteaBot
added
lgtm/done
zeripath
added a commit
to zeripath/gitea
that referenced
this pull request
Jun 16, 2021
) Backprt go-gitea#16164 Gitea will currently check every if every password is an access token even though most passwords are not and cannot be access tokens. By creation access tokens are 40 byte hexadecimal strings therefore only these should be checked. Signed-off-by: Andrew Thornton <[email protected]>
techknowlogick
pushed a commit
that referenced
this pull request
Jun 16, 2021
…6171) Backprt #16164 Gitea will currently check every if every password is an access token even though most passwords are not and cannot be access tokens. By creation access tokens are 40 byte hexadecimal strings therefore only these should be checked. Signed-off-by: Andrew Thornton <[email protected]>
zeripath
added
the
topic/security
|
Marked as security because previously this would result in sending the last 8 characters of passwords to the dbs which with LOG_SQL=true means that they end up in logs. I think it's probably an acceptable balance that the lack of the appearance of a DB query leaks that the (provided) password is not a 40 character hexadecimal string, and that in the case of a 40 character hexadecimal password the last 8 characters may appear in the sql logs - we can do some other techniques in a future PR. (For example if a username is provided just get all the tokens for that user - if not leaking the last 8 characters is less of a problem.) |
zeripath
added
performance/speed
4 tasks
AbdulrhmnGhanem
pushed a commit
to kitspace/gitea
that referenced
this pull request
Aug 10, 2021
) * Only check access tokens if they are likely to be tokens Gitea will currently check every if every password is an access token even though most passwords are not and cannot be access tokens. By creation access tokens are 40 byte hexadecimal strings therefore only these should be checked. Signed-off-by: Andrew Thornton <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.
By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.
Signed-off-by: Andrew Thornton [email protected]