Giters

Traeger-GmbH / release-server

An server application for managing your own release artifacts via a REST API.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Compare passwords in constant time to avoid timing attack vulnerabilities

kpreisser opened this issue · comments

commented

I noticed BasicAuthHandler does a string comparison on the user's password:

release-server/Sources/ReleaseServer/ReleaseServer.WebApi/Handlers/BasicAuthHandler.cs

Lines 80 to 91 in 1313db1

private async Task<string> CheckCredentials(CredentialsModel credentials)
{
//Get the credentials from the auth path and base64 decode the password
var validCredentials = await Task.Run(() =>
JsonConvert.DeserializeObject<CredentialsModel>(File.ReadAllText(AuthPath)));
validCredentials.Password = Encoding.Default.GetString(Convert.FromBase64String(validCredentials.Password));
if (credentials.Username == validCredentials.Username && credentials.Password == validCredentials.Password)
return validCredentials.Username;
return null;
}

Comparing passwords using a simple string.Equals can make the code vulnerable to timing attacks, as a simple equals method will return as early as possible (when it finds the first mismatch).

Instead, for comparing passwords or other secret information, a method like CryptographicOperations.FixedTimeEquals should be used that compares the sequences in constant time.

Additionally, I think Encoding.Default should not be used anymore, as it depends on the OS. E.g. on Windows, it returns the language/region-specific ANSI encoding (e.g. Windows-1252 on german systems, gb2312 on chinese (simplified) systems).
Instead, it should probably be Encoding.UTF8 or Encoding.Unicode.

Thanks!

commented

The fix is implemented now.