meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-10-17 17:01:01 +00:00
Code Issues Releases Wiki Activity

Explicitly don't cache sensitive 2FA actions (#43083).

Browse Source 
Patch by Felix Schäfer (user:felix).

git-svn-id: https://svn.redmine.org/redmine/trunk@23917 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu 2025-08-13 05:58:49 +00:00
parent 8f002c297e
commit 2d1f1684a1
4 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/account_controller.rb
View File

@ -220,6 +220,7 @@ class AccountController < ApplicationController
def twofa_confirm def twofa_confirm
@twofa_view = @twofa.otp_confirm_view_variables @twofa_view = @twofa.otp_confirm_view_variables
no_store
end end
def twofa def twofa

2
app/controllers/twofa_backup_codes_controller.rb
View File

@ -37,6 +37,7 @@ class TwofaBackupCodesController < ApplicationController
def confirm def confirm
@twofa_view = @twofa.otp_confirm_view_variables @twofa_view = @twofa.otp_confirm_view_variables
no_store
end end
def create def create
@ -64,6 +65,7 @@ class TwofaBackupCodesController < ApplicationController
if tokens.present? && (@created_at = tokens.collect(&:created_on).max) > 5.minutes.ago if tokens.present? && (@created_at = tokens.collect(&:created_on).max) > 5.minutes.ago
@backup_codes = tokens.collect(&:value) @backup_codes = tokens.collect(&:value)
no_store
else else
flash[:warning] = l('twofa_backup_codes_already_shown', bc_path: my_twofa_backup_codes_init_path) flash[:warning] = l('twofa_backup_codes_already_shown', bc_path: my_twofa_backup_codes_init_path)
redirect_to controller: 'my', action: 'account' redirect_to controller: 'my', action: 'account'

1
app/controllers/twofa_controller.rb
View File

@ -45,6 +45,7 @@ class TwofaController < ApplicationController
def activate_confirm def activate_confirm
@twofa_view = @twofa.init_pairing_view_variables @twofa_view = @twofa.init_pairing_view_variables
no_store
end end
def activate def activate

6
test/integration/twofa_test.rb
View File

@ -102,6 +102,7 @@ class TwofaTest < Redmine::IntegrationTest
end end
test "should generate and accept backup codes" do test "should generate and accept backup codes" do
# this also checks that all actions with secrets aren't cached
log_user('jsmith', 'jsmith') log_user('jsmith', 'jsmith')
get "/my/account" get "/my/account"
assert_response :success assert_response :success
@ -109,6 +110,7 @@ class TwofaTest < Redmine::IntegrationTest
assert_redirected_to "/my/twofa/totp/activate/confirm" assert_redirected_to "/my/twofa/totp/activate/confirm"
follow_redirect! follow_redirect!
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
post "/my/twofa/totp/activate", params: {twofa_code: totp.now} post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
@ -121,12 +123,14 @@ class TwofaTest < Redmine::IntegrationTest
assert_redirected_to "/my/twofa/backup_codes/confirm" assert_redirected_to "/my/twofa/backup_codes/confirm"
follow_redirect! follow_redirect!
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select 'form', /Please enter your two-factor authentication code/i assert_select 'form', /Please enter your two-factor authentication code/i
post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"} post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"}
assert_redirected_to "/my/twofa/backup_codes/confirm" assert_redirected_to "/my/twofa/backup_codes/confirm"
follow_redirect! follow_redirect!
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select 'form', /Please enter your two-factor authentication code/i assert_select 'form', /Please enter your two-factor authentication code/i
# prevent replay attack prevention from kicking in # prevent replay attack prevention from kicking in
@ -136,6 +140,7 @@ class TwofaTest < Redmine::IntegrationTest
assert_redirected_to "/my/twofa/backup_codes" assert_redirected_to "/my/twofa/backup_codes"
follow_redirect! follow_redirect!
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select ".flash", /your backup codes have been generated/i assert_select ".flash", /your backup codes have been generated/i
assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
@ -155,6 +160,7 @@ class TwofaTest < Redmine::IntegrationTest
} }
assert_redirected_to "/account/twofa/confirm" assert_redirected_to "/account/twofa/confirm"
follow_redirect! follow_redirect!
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select "#login-form h3", /two-factor authentication/i assert_select "#login-form h3", /two-factor authentication/i
post "/account/twofa", params: {twofa_code: code} post "/account/twofa", params: {twofa_code: code}