Merge pull request from GHSA-7vwg-39h8-8qp8

EZP-32156: Security fixes for 'user/sessions' endpoint
ezsystems · Mar 9, 2021 · e239bba · e239bba
2 parents 20dd6c5 + 71f2c14
commit e239bba
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/src/bundle/Resources/config/default_settings.yml b/src/bundle/Resources/config/default_settings.yml
@@ -87,3 +87,7 @@ parameters:
         createToken:
             mediaType: 'JWT'
             href: 'router.generate("ibexa.platform.rest.create_token")'
+
+    # Boundary times in microseconds which the authentication check will be delayed by.
+    ibexa.rest.authentication_min_delay_time: 30000
+    ibexa.rest.authentication_max_delay_time: 500000
diff --git a/src/bundle/Resources/config/security.yml b/src/bundle/Resources/config/security.yml
@@ -15,6 +15,8 @@ services:
             - "@ezpublish.config.resolver"
             - "@session.storage"
             - "@?logger"
+            - "%ibexa.rest.authentication_min_delay_time%"
+            - "%ibexa.rest.authentication_max_delay_time%"
         abstract: true
 
     ezpublish_rest.security.authentication.logout_handler:

diff --git a/src/lib/Server/Controller/SessionController.php b/src/lib/Server/Controller/SessionController.php
@@ -75,7 +75,7 @@ public function createSessionAction(Request $request)
             )
         );
         $request->attributes->set('username', $sessionInput->login);
-        $request->attributes->set('password', $sessionInput->password);
+        $request->attributes->set('password', (string) $sessionInput->password);
 
         try {
             $session = $request->getSession();

diff --git a/src/lib/Server/Security/RestAuthenticator.php b/src/lib/Server/Security/RestAuthenticator.php
@@ -35,6 +35,10 @@
  */
 class RestAuthenticator implements AuthenticatorInterface
 {
+    private const DEFAULT_MIN_SLEEP_VALUE = 30000;
+
+    private const DEFAULT_MAX_SLEEP_VALUE = 500000;
+
     /**
      * @var \Psr\Log\LoggerInterface
      */
@@ -74,14 +78,26 @@ class RestAuthenticator implements AuthenticatorInterface
      */
     private $logoutHandlers = [];
 
+    /**
+     * @var int|null
+     */
+    private $minSleepTime;
+
+    /**
+     * @var int|null
+     */
+    private $maxSleepTime;
+
     public function __construct(
         TokenStorageInterface $tokenStorage,
         AuthenticationManagerInterface $authenticationManager,
         $providerKey,
         EventDispatcherInterface $dispatcher,
         ConfigResolverInterface $configResolver,
         SessionStorageInterface $sessionStorage,
-        LoggerInterface $logger = null
+        LoggerInterface $logger = null,
+        $minSleepTime = self::DEFAULT_MIN_SLEEP_VALUE,
+        $maxSleepTime = self::DEFAULT_MAX_SLEEP_VALUE
     ) {
         $this->tokenStorage = $tokenStorage;
         $this->authenticationManager = $authenticationManager;
@@ -90,6 +106,8 @@ public function __construct(
         $this->configResolver = $configResolver;
         $this->sessionStorage = $sessionStorage;
         $this->logger = $logger;
+        $this->minSleepTime = !is_int($minSleepTime) ? self::DEFAULT_MIN_SLEEP_VALUE : $minSleepTime;
+        $this->maxSleepTime = !is_int($maxSleepTime) ? self::DEFAULT_MAX_SLEEP_VALUE : $maxSleepTime;
     }
 
     /**
@@ -104,6 +122,8 @@ public function __invoke(RequestEvent $event)
 
     public function authenticate(Request $request)
     {
+        usleep(random_int($this->minSleepTime, $this->maxSleepTime));
+
         // If a token already exists and username is the same as the one we request authentication for,
         // then return it and mark it as coming from session.
         $previousToken = $this->tokenStorage->getToken();