hendrik/lens
1
0
Fork 0
mirror of https://github.com/lensapp/lens.git synced 2025-05-20 05:10:56 +00:00
Code Issues Projects Releases Wiki Activity

Make ws:// authentication more timing safe (#4297)

Browse Source
This commit is contained in:
Sebastian Malton 2021-11-09 14:24:32 -05:00 committed by GitHub
parent 18d695348b
commit 81b972a2d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/main/proxy-functions/shell-api-request.ts
View File

@ -28,14 +28,17 @@ import URLParse from "url-parse";
import { ExtendedMap, Singleton } from "../../common/utils";
import type { ClusterId } from "../../common/cluster-types";
import { ipcMainHandle } from "../../common/ipc";
import * as uuid from "uuid";
import crypto from "crypto";
import { promisify } from "util";
const randomBytes = promisify(crypto.randomBytes);
export class ShellRequestAuthenticator extends Singleton {
private tokens = new ExtendedMap<ClusterId, Map<string, string>>();
private tokens = new ExtendedMap<ClusterId, Map<string, Uint8Array>>();
init() {
ipcMainHandle("cluster:shell-api", (event, clusterId, tabId) => {
const authToken = uuid.v4();
ipcMainHandle("cluster:shell-api", async (event, clusterId, tabId) => {
const authToken = Uint8Array.from(await randomBytes(128));
this.tokens
.getOrInsert(clusterId, () => new Map())
@ -60,9 +63,9 @@ export class ShellRequestAuthenticator extends Singleton {
}
const authToken = clusterTokens.get(tabId);
const buf = Uint8Array.from(Buffer.from(token, "base64"));
// need both conditions to prevent `undefined === undefined` being true here
if (typeof authToken === "string" && authToken === token) {
if (authToken instanceof Uint8Array && authToken.length === buf.length && crypto.timingSafeEqual(authToken, buf)) {
// remove the token because it is a single use token
clusterTokens.delete(tabId);

9
src/renderer/api/terminal-api.ts
View File

@ -81,7 +81,12 @@ export class TerminalApi extends WebSocketApi {
this.emitStatus("Connecting ...");
}
const shellToken = await ipcRenderer.invoke("cluster:shell-api", getHostedClusterId(), this.query.id);
const authTokenArray = await ipcRenderer.invoke("cluster:shell-api", getHostedClusterId(), this.query.id);
if (!(authTokenArray instanceof Uint8Array)) {
throw new TypeError("ShellApi token is not a Uint8Array");
}
const { hostname, protocol, port } = location;
const socketUrl = url.format({
protocol: protocol.includes("https") ? "wss" : "ws",
@ -90,7 +95,7 @@ export class TerminalApi extends WebSocketApi {
pathname: "/api",
query: {
...this.query,
shellToken,
shellToken: Buffer.from(authTokenArray).toString("base64"),
},
slashes: true,
});