Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore previous handling of long passwords #1295

Merged
merged 1 commit into from
Jan 18, 2023
Merged

Restore previous handling of long passwords #1295

merged 1 commit into from
Jan 18, 2023

Conversation

silvestre
Copy link
Member

@silvestre silvestre commented Jan 17, 2023
edited
Loading

Configured passwords for the servicebroker and the healthendpoints were
previously (before #1249) silently truncated to the first 72 bytes.

This change restores the truncation to the first 72 bytes, but adds an
error level warning (as lager does not have a dedicated warning
level), documenting this truncation, so previously configured passwords
longer than 72 bytes will continue to work unchanged.

Prior to this PR, since #1249, passwords longer than 72 bytes would cause an error.

@silvestre silvestre added the allow-acceptance-tests This label needs to be added to enable the acceptance tests to run. label Jan 17, 2023
@silvestre
Restore previous handling of long passwords
5e630ad 
Configured passwords for the servicebroker and the healthendpoints were
previously silently truncated to the first 72 bytes [1].

This change restores the truncation to the first 72 bytes, but adds an
error level warning (as `lager` does not have a dedicated warning
level), documenting this truncation, so previously configured passwords
longer than 72 bytes will continue to work unchanged.

Prior to this PR, passwords longer than 72 bytes would cause an error.

[1]: golang/go#36546
@sonarcloud
Copy link

sonarcloud bot commented Jan 17, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@silvestre silvestre marked this pull request as ready for review January 17, 2023 16:12
@silvestre silvestre merged commit d3091f2 into main Jan 18, 2023
@silvestre silvestre deleted the fix-password-restriction branch January 18, 2023 12:29
@silvestre silvestre added the bug label Jan 18, 2023
@risicle
Copy link
Contributor

risicle commented Mar 23, 2023

I understand the purpose of adding the warning, but I don't understand why this PR also bumps the deployment's password to a length greater than this. It means that anyone trying to extract the generated password from the bosh vars store has to know about this and truncate similarly before using it.

@silvestre
Copy link
Member Author

I understand the purpose of adding the warning, but I don't understand why this PR also bumps the deployment's password to a length greater than this. It means that anyone trying to extract the generated password from the bosh vars store has to know about this and truncate similarly before using it.

It just restores the previous settings.

I'm not sure in what scenario someone extracting the password would have to truncate it themself?

@risicle
Copy link
Contributor

risicle commented Jul 11, 2023

(forgive me, I'm having to refresh myself on something 4 months back..)

But this change only performs auto-truncation on the submitted user/pass in the healthcheck endpoints. For the brokerserver, for instance, the warning and truncation is performed on the configured user/pass, but the submitted user/pass is just pulled directly from request.BasicAuth() and handed to bcrypt.CompareHashAndPassword.

@silvestre
Copy link
Member Author

silvestre commented Jul 12, 2023
edited
Loading

I see, but this is exactly the reason why the deployments password was bumped up to full length, so that our tests would catch any such issue.

They are passing because bcrypt.CompareHashAndPassword does the silent truncation of the submitted password: https://go.dev/play/p/weYfWJJRjp4

I suppose this implicit truncation could be made explicit to prevent confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joergdw joergdw joergdw approved these changes

Assignees
No one assigned
Labels
allow-acceptance-tests This label needs to be added to enable the acceptance tests to run. bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@silvestre @risicle @joergdw