From e9bb5879f772e4d546aadb4bb6f935c7c55b8000 Mon Sep 17 00:00:00 2001 From: Jessica Tallon Date: Fri, 21 Aug 2015 17:57:39 +0200 Subject: Fix #5344 - OAuth NotImplemented exception This introduces a migration which adds a dummy Client, RequestToken and AccessToken. These are used when an invalid request comes in, instead of bailing early, it needs dummy data to prevent timing attacks. This then implements the methods which get the IDs of the dummy objects. If these are changed in the future a migration which checks for the previous dummy object should be created and updates them to reflect the new IDs/tokens. --- mediagoblin/oauth/oauth.py | 43 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) (limited to 'mediagoblin/oauth/oauth.py') diff --git a/mediagoblin/oauth/oauth.py b/mediagoblin/oauth/oauth.py index c7951734..2cc4e790 100644 --- a/mediagoblin/oauth/oauth.py +++ b/mediagoblin/oauth/oauth.py @@ -18,6 +18,7 @@ import datetime from oauthlib.common import Request from oauthlib.oauth1 import RequestValidator +from mediagoblin import oauth from mediagoblin.db.models import NonceTimestamp, Client, RequestToken, AccessToken class GMGRequestValidator(RequestValidator): @@ -94,7 +95,8 @@ class GMGRequestValidator(RequestValidator): def validate_client_key(self, client_key, request): """ Verifies client exists with id of client_key """ - client = Client.query.filter_by(id=client_key).first() + client_query = Client.query.filter(Client.id != oauth.DUMMY_CLIENT_ID) + client = client_query.filter_by(id=client_key).first() if client is None: return False @@ -102,15 +104,30 @@ class GMGRequestValidator(RequestValidator): def validate_access_token(self, client_key, token, request): """ Verifies token exists for client with id of client_key """ - client = Client.query.filter_by(id=client_key).first() - token = AccessToken.query.filter_by(token=token) - token = token.first() + # Get the client for the request + client_query = Client.query.filter(Client.id != oauth.DUMMY_CLIENT_ID) + client = client_query.filter_by(id=client_key).first() - if token is None: + # If the client is invalid then it's invalid + if client is None: return False - request_token = RequestToken.query.filter_by(token=token.request_token) - request_token = request_token.first() + # Look up the AccessToken + access_token_query = AccessToken.query.filter( + AccessToken.token != oauth.DUMMY_ACCESS_TOKEN + ) + access_token = access_token_query.filter_by(token=token).first() + + # If there isn't one - we can't validate. + if access_token is None: + return False + + # Check that the client matches the on + request_token_query = RequestToken.query.filter( + RequestToken.token != oauth.DUMMY_REQUEST_TOKEN, + RequestToken.token == access_token.request_token + ) + request_token = request_token_query.first() if client.id != request_token.client: return False @@ -131,6 +148,18 @@ class GMGRequestValidator(RequestValidator): access_token = AccessToken.query.filter_by(token=token).first() return access_token.secret + @property + def dummy_client(self): + return oauth.DUMMY_CLIENT_ID + + @property + def dummy_request_token(self): + return oauth.DUMMY_REQUEST_TOKEN + + @property + def dummy_access_token(self): + return oauth.DUMMY_ACCESS_TOKEN + class GMGRequest(Request): """ Fills in data to produce a oauth.common.Request object from a -- cgit v1.2.3