mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-06-08 00:09:34 +00:00
Code Issues Projects Releases Wiki Activity

Check that the date in the signature isn't too old.

Browse source
This commit is contained in:
Adam Kelly 2020-05-20 15:26:01 +01:00
parent 52eeabc5bb
commit b1516f18be
2 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
fedireads/signatures.py
View file

@ -1,5 +1,6 @@
import hashlib
from urllib.parse import urlparse
import datetime
from base64 import b64encode, b64decode
from Crypto import Random
@ -7,6 +8,7 @@ from Crypto.PublicKey import RSA
from Crypto.Signature import pkcs1_15 #pylint: disable=no-name-in-module
from Crypto.Hash import SHA256
MAX_SIGNATURE_AGE = 300
def create_key_pair():
random_generator = Random.new().read
@ -77,6 +79,9 @@ class Signature:
def verify(self, public_key, request):
''' verify rsa signature '''
if http_date_age(request.headers['date']) > MAX_SIGNATURE_AGE:
raise ValueError(
"Request too old: %s" % (request.headers['date'],))
public_key = RSA.import_key(public_key)
comparison_string = []
@ -99,3 +104,8 @@ class Signature:
# raises a ValueError if it fails
signer.verify(digest, self.signature)
def http_date_age(datestr):
parsed = datetime.datetime.strptime(datestr, '%a, %d %b %Y %H:%M:%S GMT')
delta = datetime.datetime.utcnow() - parsed
return delta.total_seconds()

14
fedireads/tests/test_signing.py
View file

@ -1,3 +1,4 @@
import time
from collections import namedtuple
from urllib.parse import urlsplit
@ -51,8 +52,9 @@ class Signature(TestCase):
sender,
signer=None,
send_data=None,
digest=None):
now = http_date()
digest=None,
date=None):
now = date or http_date()
data = get_follow_data(sender, self.rat)
signature = make_signature(
signer or sender, self.rat.inbox, now, digest or make_digest(data))
@ -105,3 +107,11 @@ class Signature(TestCase):
self.mouse,
digest='SHA-256=AAAAAAAAAAAAAAAAAA')
self.assertEqual(response.status_code, 401)
def test_old_message(self):
'''Old messages should be rejected to prevent replay attacks.'''
response = self.send_test_request(
self.mouse,
date=http_date(time.time() - 301)
)
self.assertEqual(response.status_code, 401)