fixed GHSA-c94j-vqr5-3mxr - privilege escalation during web auth

2024-09-20 06:46:17 +08:00 · 2023-11-23 18:35:27 +01:00 · 2023-11-23 18:35:27 +01:00 · e3b26b2699
parent 80ec7444f9
commit e3b26b2699
2 changed files with 13 additions and 9 deletions
--- a/warpgate-protocol-http/src/api/auth.rs
+++ b/warpgate-protocol-http/src/api/auth.rs
@ -129,7 +129,7 @@ impl Api {

        let password_cred = AuthCredential::Password(Secret::new(body.password.clone()));
        if cp
-            .validate_credential(&body.username, &password_cred)
+            .validate_credential(&state.username(), &password_cred)
            .await?
        {
            state.add_valid_credential(password_cred);
--- a/warpgate-protocol-http/src/common.rs
+++ b/warpgate-protocol-http/src/common.rs
@ -194,16 +194,20 @@ pub async fn get_auth_state_for_request(
        }
    }

-    match session.get_auth_state_id() {
-        Some(id) => Ok(store.get(&id.0).ok_or(WarpgateError::InconsistentState)?),
-        None => {
-            let (id, state) = store
-                .create(None, username, crate::common::PROTOCOL_NAME)
-                .await?;
-            session.set(AUTH_STATE_ID_SESSION_KEY, AuthStateId(id));
-            Ok(state)
+    if let Some(id) = session.get_auth_state_id() {
+        let state = store.get(&id.0).ok_or(WarpgateError::InconsistentState)?;
+
+        let existing_matched = state.lock().await.username() == username;
+        if existing_matched {
+            return Ok(state);
        }
    }
+
+    let (id, state) = store
+        .create(None, username, crate::common::PROTOCOL_NAME)
+        .await?;
+    session.set(AUTH_STATE_ID_SESSION_KEY, AuthStateId(id));
+    Ok(state)
 }

 pub async fn authorize_session(req: &Request, username: String) -> poem::Result<()> {