paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2021-3967: Only regenerate the API key by authing with the old key.

Browse Source
This commit is contained in:
Mateusz Mandera
2022-02-18 21:49:17 +01:00
committed by Alex Vandiver
parent 5784bdd0ed
commit 974c98a45a
3 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
static/js/settings_account.js
View File

@@ -345,8 +345,15 @@ export function set_up() {
} }
$("#show_api_key").on("click", "button.regenerate_api_key", (e) => { $("#show_api_key").on("click", "button.regenerate_api_key", (e) => {
const email = page_params.delivery_email;
const api_key = $("#api_key_value").text();
const authorization_header = "Basic " + btoa(`${email}:${api_key}`);
channel.post({ channel.post({
url: "/json/users/me/api_key/regenerate", // This endpoint is only accessible with the previous API key,
// via our usual HTTP Basic auth mechanism.
url: "/api/v1/users/me/api_key/regenerate",
headers: {Authorization: authorization_header},
success(data) { success(data) {
$("#api_key_value").text(data.api_key); $("#api_key_value").text(data.api_key);
}, },

10
zerver/tests/test_settings.py
View File

@@ -431,7 +431,17 @@ class UserChangesTest(ZulipTestCase):
for api_key in old_api_keys: for api_key in old_api_keys:
self.assertEqual(get_user_profile_by_api_key(api_key).email, email) self.assertEqual(get_user_profile_by_api_key(api_key).email, email)
# First verify this endpoint is not registered in the /json/... path
# to prevent access with only a session.
result = self.client_post("/json/users/me/api_key/regenerate") result = self.client_post("/json/users/me/api_key/regenerate")
self.assertEqual(result.status_code, 404)
# A logged-in session doesn't allow access to an /api/v1/ endpoint
# of course.
result = self.client_post("/api/v1/users/me/api_key/regenerate")
self.assertEqual(result.status_code, 401)
result = self.api_post(user, "/api/v1/users/me/api_key/regenerate")
self.assert_json_success(result) self.assert_json_success(result)
new_api_key = result.json()["api_key"] new_api_key = result.json()["api_key"]
self.assertNotIn(new_api_key, old_api_keys) self.assertNotIn(new_api_key, old_api_keys)

6
zproject/urls.py
View File

@@ -382,7 +382,6 @@ v1_api_and_json_patterns = [
rest_path("user_groups/<int:user_group_id>", PATCH=edit_user_group, DELETE=delete_user_group), rest_path("user_groups/<int:user_group_id>", PATCH=edit_user_group, DELETE=delete_user_group),
rest_path("user_groups/<int:user_group_id>/members", POST=update_user_group_backend), rest_path("user_groups/<int:user_group_id>/members", POST=update_user_group_backend),
# users/me -> zerver.views.user_settings # users/me -> zerver.views.user_settings
rest_path("users/me/api_key/regenerate", POST=regenerate_api_key),
rest_path( rest_path(
"users/me/enter-sends", "users/me/enter-sends",
POST=( POST=(
@@ -711,6 +710,11 @@ v1_api_mobile_patterns = [
# This json format view used by the mobile apps accepts a username # This json format view used by the mobile apps accepts a username
# password/pair and returns an API key. # password/pair and returns an API key.
path("fetch_api_key", api_fetch_api_key), path("fetch_api_key", api_fetch_api_key),
# The endpoint for regenerating and obtaining a new API key
# should only be available by authenticating with the current
# API key - as we consider access to the API key sensitive
# and just having a logged-in session should be insufficient.
rest_path("users/me/api_key/regenerate", POST=regenerate_api_key),
] ]
# View for uploading messages from email mirror # View for uploading messages from email mirror