nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 21:48:12 -05:00
Code

CSA-29: Time safe comparison for access code (#2431)

Browse Source 
* time safe comparison for access code

* remove whitespace
This commit is contained in:
Kyle Spearrin 2022-11-22 15:32:21 -05:00 committed by GitHub
parent d8834793b5
commit 41ee3d4c69
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/Api/Controllers/AuthRequestsController.cs
View File

@ -6,6 +6,7 @@ using Bit.Core.Exceptions;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Core.Services; using Bit.Core.Services;
using Bit.Core.Settings; using Bit.Core.Settings;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
@ -68,7 +69,7 @@ public class AuthRequestsController : Controller
public async Task<AuthRequestResponseModel> GetResponse(string id, [FromQuery] string code) public async Task<AuthRequestResponseModel> GetResponse(string id, [FromQuery] string code)
{ {
var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id)); var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id));
if (authRequest == null || code != authRequest.AccessCode || authRequest.GetExpirationDate() < DateTime.UtcNow) if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, code) || authRequest.GetExpirationDate() < DateTime.UtcNow)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }

3
src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs
View File

@ -1,5 +1,6 @@
using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces; using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Core.Utilities;
namespace Bit.Core.LoginFeatures.PasswordlessLogin; namespace Bit.Core.LoginFeatures.PasswordlessLogin;
@ -15,7 +16,7 @@ public class VerifyAuthRequestCommand : IVerifyAuthRequestCommand
public async Task<bool> VerifyAuthRequestAsync(Guid authRequestId, string accessCode) public async Task<bool> VerifyAuthRequestAsync(Guid authRequestId, string accessCode)
{ {
var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId); var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId);
if (authRequest == null || authRequest.AccessCode != accessCode) if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, accessCode))
{ {
return false; return false;
} }