heimoshuiyu/postmoogle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

securely compare passwords, add notice about message removal

Browse Source
This commit is contained in:
Aine
2022-09-23 10:19:25 +03:00
parent 1dc552686d
commit 5a19ffad08
4 changed files with 37 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bot/access.go
View File

@@ -6,6 +6,8 @@ import (
"gitlab.com/etke.cc/go/mxidwc" "gitlab.com/etke.cc/go/mxidwc"
"maunium.net/go/mautrix/id" "maunium.net/go/mautrix/id"
"gitlab.com/etke.cc/postmoogle/utils"
) )
func parseMXIDpatterns(patterns []string, defaultPattern string) ([]*regexp.Regexp, error) { func parseMXIDpatterns(patterns []string, defaultPattern string) ([]*regexp.Regexp, error) {
@@ -78,5 +80,5 @@ func (b *Bot) AllowAuth(mailbox, password string) bool {
return false return false
} }
return cfg.Password() != "" && cfg.Password() == password return utils.Compare(password, cfg.Password())
} }

1
bot/command.go
View File

@@ -76,7 +76,6 @@ func (b *Bot) initCommands() commandList {
{ {
key: roomOptionPassword, key: roomOptionPassword,
description: "Get or set SMTP password of the room's mailbox", description: "Get or set SMTP password of the room's mailbox",
sanitizer: func(s string) string { return strings.TrimSpace(s) },
allowed: b.allowOwner, allowed: b.allowOwner,
}, },
{allowed: b.allowOwner}, // delimiter {allowed: b.allowOwner}, // delimiter

14
bot/command_owner.go
View File

@@ -62,12 +62,17 @@ func (b *Bot) getOption(ctx context.Context, name string) {
msg := fmt.Sprintf("`%s` of this room is `%s`\n"+ msg := fmt.Sprintf("`%s` of this room is `%s`\n"+
"To set it to a new value, send a `%s %s VALUE` command.", "To set it to a new value, send a `%s %s VALUE` command.",
name, value, b.prefix, name) name, value, b.prefix, name)
if name == roomOptionPassword {
msg = msg + "\n\n---\n\n" +
"**Please, remove that message after reading.**"
}
b.SendNotice(ctx, evt.RoomID, msg) b.SendNotice(ctx, evt.RoomID, msg)
} }
//nolint:gocognit
func (b *Bot) setOption(ctx context.Context, name, value string) { func (b *Bot) setOption(ctx context.Context, name, value string) {
cmd := b.commands.get(name) cmd := b.commands.get(name)
if cmd != nil { if cmd != nil && cmd.sanitizer != nil {
value = cmd.sanitizer(value) value = cmd.sanitizer(value)
} }
@@ -104,5 +109,10 @@ func (b *Bot) setOption(ctx context.Context, name, value string) {
return return
} }
b.SendNotice(ctx, evt.RoomID, fmt.Sprintf("`%s` of this room set to `%s`", name, value)) msg := fmt.Sprintf("`%s` of this room set to `%s`", name, value)
if name == roomOptionPassword {
msg = msg + "\n\n---\n\n" +
"**Please, remove that message and the previous one.**"
}
b.SendNotice(ctx, evt.RoomID, msg)
} }

22
utils/utils.go
View File

@@ -1,6 +1,7 @@
package utils package utils
import ( import (
"crypto/subtle"
"strconv" "strconv"
"strings" "strings"
) )
@@ -33,3 +34,24 @@ func Bool(str string) bool {
func SanitizeBoolString(str string) string { func SanitizeBoolString(str string) string {
return strconv.FormatBool(Bool(str)) return strconv.FormatBool(Bool(str))
} }
// Compare strings with constant time to prevent timing attacks
func Compare(actual, expected string) bool {
actualb := []byte(actual)
expectedb := []byte(expected)
if expected == "" {
// Just to keep constant time
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
return false
}
// actual comparison
if subtle.ConstantTimeEq(int32(len(actual)), int32(len(expected))) == 1 {
return subtle.ConstantTimeCompare(actualb, expectedb) == 1
}
// Just to keep constant time
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
return false
}