paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2021-3967: Only regenerate the API key by authing with the old key.

Browse Source
This commit is contained in:
Mateusz Mandera
2022-02-18 21:49:17 +01:00
committed by Alex Vandiver
parent 5784bdd0ed
commit 974c98a45a
3 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
zerver/tests/test_settings.py
View File

@@ -431,7 +431,17 @@ class UserChangesTest(ZulipTestCase):
for api_key in old_api_keys:
self.assertEqual(get_user_profile_by_api_key(api_key).email, email)
# First verify this endpoint is not registered in the /json/... path
# to prevent access with only a session.
result = self.client_post("/json/users/me/api_key/regenerate")
self.assertEqual(result.status_code, 404)
# A logged-in session doesn't allow access to an /api/v1/ endpoint
# of course.
result = self.client_post("/api/v1/users/me/api_key/regenerate")
self.assertEqual(result.status_code, 401)
result = self.api_post(user, "/api/v1/users/me/api_key/regenerate")
self.assert_json_success(result)
new_api_key = result.json()["api_key"]
self.assertNotIn(new_api_key, old_api_keys)