You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think the proper way to do this to avoid the timing attack is (if you have ActiveSupport available)
http_basic do |username, password|
ActiveSupport::SecurityUtils.variable_size_secure_compare(GRAPE_API_USERNAME, username) &
ActiveSupport::SecurityUtils.variable_size_secure_compare(GRAPE_API_PASSWORD, password)
end
I got to admit that's an impressively obvious CVE. I suggest simply removing the specific example from the documentation and leaving the comment to verify the user's password. It's probably not Grape's responsibility to make sure you implement BASIC auth with this CVE in mind, otherwise we also would have to care about things like what headers you send to the client for, say, CSP.
I'm just seeing in the README about basic auth https://github.com/ruby-grape/grape#authentication
This sure looks like it's prone to a timing attack on the password like CVE-2015-7576 https://groups.google.com/forum/#!msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ and should ideally not be a recommended solution for password auth.
The text was updated successfully, but these errors were encountered: