Skip to content

fix(authentication): Handle null or empty string password hash#36653

Merged
nickvergessen merged 1 commit intomasterfrom
bugfix/noid/more-defensive-old-token-handling
Feb 20, 2023
Merged

fix(authentication): Handle null or empty string password hash#36653
nickvergessen merged 1 commit intomasterfrom
bugfix/noid/more-defensive-old-token-handling

Conversation

@nickvergessen
Copy link
Member

@nickvergessen nickvergessen commented Feb 10, 2023
edited
Loading

This can happen when the auth.storeCryptedPassword config is used, which previously errored with:
Hasher::verify(): Argument #2 ($hash) must be of type string, null given

As observed in https://drone.nextcloud.com/nextcloud/spreed/11732/1/4

Checklist

@nickvergessen
fix(authentication): Handle null or empty string password hash
6417ea0 
This can happen when the auth.storeCryptedPassword config is used,
which previously errored with:
Hasher::verify(): Argument #2 ($hash) must be of type string, null given

Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen added this to the Nextcloud 26 milestone Feb 10, 2023
@nickvergessen nickvergessen requested review from a team, come-nc and juliusknorr February 10, 2023 08:22
@nickvergessen nickvergessen self-assigned this Feb 10, 2023
@nickvergessen nickvergessen requested review from ArtificialOwl and icewind1991 and removed request for a team February 10, 2023 08:22
come-nc
come-nc reviewed Feb 13, 2023
View reviewed changes
lib/private/Authentication/Token/PublicKeyTokenProvider.php
// hash that we can reuse for detecting outdated passwords
$randomOldToken = $this->mapper->getFirstTokenForUser($uid);
$oldTokenMatches = $randomOldToken && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
Copy link
Contributor

@come-nc come-nc Feb 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$oldTokenMatches = $randomOldToken && ($pwHash = $randomOldToken->getPasswordHash()) && $this->hasher->verify(sha1($password) . $password, $pwHash);

Copy link
Member Author

@nickvergessen nickvergessen Feb 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't do inline assignments in Nextcloud, also it's a just replacign a local member call here, so not sure it's worth the possible confusion.

Copy link
Contributor

@come-nc come-nc Feb 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is not to avoid the local call, it’s that you cannot know that getPasswordHash will return the same thing twice, so checking it returns a non-falsy value and then calling it againg and using it as an object is dangerous.
I’m not sure how is the pretty way to write this, and I do dislike the inline assignment, I used it to show the smalest change possible to show the idea.

psalm will yell at you for doing this kind of stuff. Especially when most of the time we only know the interface used and not the class.

Suggested change
$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
if ($randomOldToken) {
$pwHash = $randomOldToken->getPasswordHash();
$oldTokenMatches = $pwHash && $this->hasher->verify(sha1($password) . $password, $pwHash);
} else {
$oldTokenMatches = false;
}

Or if PHP>=8:

Suggested change
$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$pwHash = $randomOldToken?->getPasswordHash();
$oldTokenMatches = $pwHash && $this->hasher->verify(sha1($password) . $password, $pwHash);

Copy link
Member Author

@nickvergessen nickvergessen Feb 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is not to avoid the local call, it’s that you cannot know that getPasswordHash will return the same thing twice

We have code like this with all our "Entities" all the time? How could the existing object change in the meantime?

come-nc
come-nc approved these changes Feb 20, 2023
View reviewed changes
Copy link
Contributor

@come-nc come-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don’t like it, and I’m surprised psalm does not complain on such things.

@nickvergessen nickvergessen merged commit c550aca into master Feb 20, 2023
@nickvergessen nickvergessen deleted the bugfix/noid/more-defensive-old-token-handling branch February 20, 2023 10:15
@skjnldsv skjnldsv mentioned this pull request Feb 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@come-nc come-nc come-nc approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@vitormattos vitormattos Awaiting requested review from vitormattos

Assignees

@nickvergessen nickvergessen

Labels

3. to review Waiting for reviews bug feature: authentication

Projects

None yet

Milestone

Nextcloud 26

Development

Successfully merging this pull request may close these issues.

3 participants

@nickvergessen @juliusknorr @come-nc