fix: [security] Auth key must be always random generated at server side

2020-12-03 17:24:26 +01:00 · 2020-12-03 17:24:26 +01:00 · c06782226a
parent f27580f1e6
commit c06782226a
3 changed files with 11 additions and 5 deletions
--- a/app/Controller/AuthKeysController.php
+++ b/app/Controller/AuthKeysController.php
@ -71,15 +71,16 @@ class AuthKeysController extends AppController
    {
        $params = [
            'displayOnSuccess' => 'authkey_display',
-            'saveModelVariable' => ['authkey_raw']
+            'saveModelVariable' => ['authkey_raw'],
+            'override' => ['authkey' => null], // do not allow to use own key, always generate random one
        ];
        $selectConditions = [];
        if (!$this->_isSiteAdmin()) {
            $selectConditions['AND'][] = ['User.id' => $this->Auth->user('id')];
-            $params['override'] = ['user_id' => $this->Auth->user('id')];
+            $params['override']['user_id'] = $this->Auth->user('id');
        } else if ($user_id) {
            $selectConditions['AND'][] = ['User.id' => $user_id];
-            $params['override'] = ['user_id' => $user_id];
+            $params['override']['user_id'] = $user_id;
        }
        $this->CRUD->add($params);
        if ($this->IndexFilter->isRest()) {
--- a/app/Controller/Component/CRUDComponent.php
+++ b/app/Controller/Component/CRUDComponent.php
@ -75,8 +75,6 @@ class CRUDComponent extends Component
                    $input[$modelName][$field] = $value;
                }
            }
-            if (isset($input[$modelName]['id'])) {
-            }
            unset($input[$modelName]['id']);
            if (!empty($params['fields'])) {
                $data = [];
--- a/tests/testlive_security.py
+++ b/tests/testlive_security.py
@ -375,6 +375,13 @@ class TestSecurity(unittest.TestCase):

            self.__delete_advanced_authkey(auth_key["id"])

+    def test_advanced_authkeys_own_key_not_possible(self):
+        with MISPSetting(self.admin_misp_connector, "Security.advanced_authkeys", True):
+            authkey = ("a" * 40)
+            auth_key = self.__create_advanced_authkey(self.test_usr.id, {"authkey": authkey})
+            self.__delete_advanced_authkey(auth_key["id"])
+            self.assertNotEqual(authkey, auth_key["authkey"])
+
    def test_advanced_authkeys_reset_own(self):
        with self.__setting("Security.advanced_authkeys", True):
            # Create advanced authkey