Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent security failure due to bad APP_ID #18678

Merged
merged 3 commits into from
Feb 9, 2022

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Feb 8, 2022

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton art27@cantab.net

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton <art27@cantab.net>
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Feb 8, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 9, 2022
@lunny
Copy link
Member

lunny commented Feb 9, 2022

This PR fixed the first authentication failure problem when setup 2FA. But it still has not resolve the migrated U2F keys invalid problem. Of course I think that could be another PR.

@codecov-commenter
Copy link

Codecov Report

Merging #18678 (4611177) into main (4d93984) will decrease coverage by 0.00%.
The diff coverage is 38.59%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #18678      +/-   ##
==========================================
- Coverage   46.64%   46.63%   -0.01%     
==========================================
  Files         846      846              
  Lines      121331   121367      +36     
==========================================
+ Hits        56595    56605      +10     
- Misses      57859    57888      +29     
+ Partials     6877     6874       -3     
Impacted Files Coverage Δ
modules/setting/setting.go 45.77% <20.00%> (-0.34%) ⬇️
modules/queue/workerpool.go 51.44% <38.70%> (-4.43%) ⬇️
services/mirror/mirror.go 15.70% <41.17%> (+4.19%) ⬆️
models/unit/unit.go 47.82% <50.00%> (+0.92%) ⬆️
modules/queue/queue_bytefifo.go 47.60% <0.00%> (-1.85%) ⬇️
modules/queue/queue_disk_channel.go 60.66% <0.00%> (-1.26%) ⬇️
models/repo_list.go 75.66% <0.00%> (-0.49%) ⬇️
modules/queue/queue_channel.go 83.01% <0.00%> (ø)
... and 6 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4160aff...4611177. Read the comment docs.

@lunny lunny merged commit 2f76608 into go-gitea:main Feb 9, 2022
@zeripath zeripath deleted the present-appid-webauthn branch February 9, 2022 09:13
zeripath added a commit to zeripath/gitea that referenced this pull request Feb 9, 2022
Backport go-gitea#18678

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@zeripath zeripath added the backport/done All backports for this PR have been created label Feb 9, 2022
zjjhot added a commit to zjjhot/gitea that referenced this pull request Feb 9, 2022
* giteaofficial/main:
  Prevent security failure due to bad APP_ID (go-gitea#18678)
  [skip ci] Updated translations via Crowdin
  Let `MinUnitAccessMode` return correct perm (go-gitea#18675)
  Simplify Boost/Pause logic (go-gitea#18673)
  update the comparison documents (go-gitea#18669)
  Restart zero worker if there is still work to do (go-gitea#18658)
verifyAssertion(credential);
}).catch((err) => {
webAuthnError('general', err.message);
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kind of screams to be refactored using await 😉

6543 pushed a commit that referenced this pull request Feb 10, 2022
Backport #18678

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Chianina pushed a commit to Chianina/gitea that referenced this pull request Mar 28, 2022
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants