Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There's an infinitesimally small possibility an existing token gets overwritten. #9250

Open
CharString opened this issue Feb 9, 2024 · 6 comments

Comments

@CharString
Copy link

CharString commented Feb 9, 2024

class Token(models.Model):
"""
The default authorization token model.
"""
key = models.CharField(_("Key"), max_length=40, primary_key=True)
user = models.OneToOneField(
settings.AUTH_USER_MODEL, related_name='auth_token',
on_delete=models.CASCADE, verbose_name=_("User")
)
created = models.DateTimeField(_("Created"), auto_now_add=True)
class Meta:
# Work around for a bug in Django:
# https://code.djangoproject.com/ticket/19422
#
# Also see corresponding ticket:
# https://github.com/encode/django-rest-framework/issues/705
abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
verbose_name = _("Token")
verbose_name_plural = _("Tokens")
def save(self, *args, **kwargs):
if not self.key:
self.key = self.generate_key()
return super().save(*args, **kwargs)
@classmethod
def generate_key(cls):
return binascii.hexlify(os.urandom(20)).decode()

The sample space is large 2 ** (8 * 20), but the probability is not 0 that generate_key returns a key that already exists, and then the save would update the existing one.

The smallest change, turns this into an integrity error:

     def save(self, *args, **kwargs): 
         if not self.key: 
             self.key = self.generate_key()
             kwargs["force_insert"] = True
         return super().save(*args, **kwargs) 
@CharString CharString changed the title Security issue: There's a minute chance that existing tokens are overwitten. Security issue: There's a minute chance that existing tokens are overwritten. Feb 9, 2024
@CharString CharString changed the title Security issue: There's a minute chance that existing tokens are overwritten. Security issue: There's a minute chance an existing token gets overwritten. Feb 9, 2024
@tomchristie
Copy link
Member

Yep that looks like a very sensible measure.
Would you like to go ahead and raise a pull request for this?

@tomchristie tomchristie changed the title Security issue: There's a minute chance an existing token gets overwritten. There's an infinitesimally small possibility an existing token gets overwritten. Mar 27, 2024
@tomchristie
Copy link
Member

Reassuringly "large" is an understatment here. But yes, the force_insert/IntegrityError makes sense.

We should really be pointing towards our security policy and following issues like this up promptly, but the project maintainership has been severely over-extended recently. We're now getting back onto a more even keel.

@Kludex
Copy link
Member

Kludex commented Mar 27, 2024

I'm not really into this project, but I saw this issue...

To the author of this issue: you shouldn't report security issues publicly.

To the maintainers: this should have been closed as soon as this was read, and recreated on another communication channel (email, private forum, etc) for triage.

@tomchristie
Copy link
Member

This isn't an exploitable security issue in reality, tho we ought to have been be keeping good policy regardless yes.

@browniebroke
Copy link
Contributor

Should this fix be considered a potential breaking change? e.g if some folks relied on the current behaviour to rotate an existing token. They would clear the key field and call save() on an existing token.

@CharString
Copy link
Author

Should this fix be considered a potential breaking change? e.g if some folks relied on the current behaviour to rotate an existing token. They would clear the key field and call save() on an existing token.

Would that even work? I'll test that when I prepare the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants