Do not allow to reuse TOTP passcode #3878
Conversation
lafriks
added
type/enhancement
Codecov Report
@@ Coverage Diff @@
## master #3878 +/- ##
==========================================
- Coverage 20.18% 20.16% -0.02%
==========================================
Files 145 145
Lines 29151 29156 +5
==========================================
- Hits 5883 5880 -3
- Misses 22374 22381 +7
- Partials 894 895 +1
Continue to review full report at Codecov.
|
bkcsoft
added
the
lgtm/need 2
|
Thank you for taking care of the security issues reported, even those with lower priority like this one. |
|
edit: noticed a minor typo |
bkcsoft
added
lgtm/need 1
models/migrations/migrations.go
Outdated
| @@ -176,6 +176,8 @@ var migrations = []Migration{ | |||
| NewMigration("add is_fsck_enabled column for repos", addFsckEnabledToRepo), | |||
| // v61 -> v62 | |||
| NewMigration("add size column for attachments", addSizeToAttachment), | |||
| // v62 -> v63 | |||
| NewMigration("add last used passcode column for TOPT", addLastUsedPasscodeTOPT), | |||
There was a problem hiding this comment.
Incorrect acronym, this should be TOTP (per: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). There are other places in this PR that have the incorrect acronym.
Sorry for noticing this after my LG-TM, this should be an easy fix though.
bkcsoft
added
lgtm/done
lafriks
changed the title
|
@techknowlogick fixed |
|
thanks @lafriks, I've just approved. |
|
@daviian it is one time usage passcode. Hashing would not give much anyway as it could be easily bruteforced back to normal value (only six digits so that would take few seconds to get value back from hash), I don't think it would change much if anything |
|
Don't want to block that PR ;) But if it's that easy to bruteforce TOTP, why use it in the first place? |
|
@daviian I think @lafriks means that it is easy to bruteforce a hash of 6 characters, so if an attacker has access to the DB a hash wouldn't really stop them from knowing what the token was. This is fine because tokens change every 30 seconds, and this is a protection just in case someone MITM a user to intercept the token so it can't be re-used. |
|
@techknowlogick @lafriks You are totally right! 👍 |
|
As this is more enchantment and it is hard to backport to 1.4 without breaking upgrade process, I will not backport it |
|
Personally I don't care too much, but may I ask why finders don't receive any credits? Indeed, it would be really appreciated... |
|
@cezar97 I can't speak on behalf of the other maintainers, but I've asked for a thanks to be added to the blog post for the release notes. As only owners see the security reports I wasn't able to add the appropriate thanks to my PR for the release blog post. |
|
@cezar97 finders will get credits in blog post |
* SECURITY * Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353) * Do not allow to reuse TOTP passcode (go-gitea#3878) * FEATURE * Add cli commands to regen hooks & keys (go-gitea#3979) * Add support for FIDO U2F (go-gitea#3971) * Added user language setting (go-gitea#3875) * LDAP Public SSH Keys synchronization (go-gitea#1844) * Add topic support (go-gitea#3711) * Multiple assignees (go-gitea#3705) * Add protected branch whitelists for merging (go-gitea#3689) * Global code search support (go-gitea#3664) * Add label descriptions (go-gitea#3662) * Add issue search via API (go-gitea#3612) * Add repository setting to enable/disable health checks (go-gitea#3607) * Emoji Autocomplete (go-gitea#3433) * Implements generator cli for secrets (go-gitea#3531) * ENHANCEMENT * Add more webhooks support and refactor webhook templates directory (go-gitea#3929) * Add new option to allow only OAuth2/OpenID user registration (go-gitea#3910) * Add option to use paged LDAP search when synchronizing users (go-gitea#3895) * Symlink icons (go-gitea#1416) * Improve release page UI (go-gitea#3693) * Add admin dashboard option to run health checks (go-gitea#3606) * Add branch link in branch list (go-gitea#3576) * Reduce sql query times in retrieveFeeds (go-gitea#3547) * Option to enable or disable swagger endpoints (go-gitea#3502) * Add missing licenses (go-gitea#3497) * Reduce repo indexer disk usage (go-gitea#3452) * Enable caching on assets and avatars (go-gitea#3376) * Add repository search ordered by stars/forks. Forks column in admin repo list (go-gitea#3969) * Add Environment Variables to Docker template (go-gitea#4012) * LFS: make HTTP auth period configurable (go-gitea#4035) * Add config path as an optionial flag when changing pass via CLI (go-gitea#4184) * Refactor User Settings sections (go-gitea#3900) * Allow square brackets in external issue patterns (go-gitea#3408) * Add Attachment API (go-gitea#3478) * Add EnableTimetracking option to app settings (go-gitea#3719) * Add config option to enable or disable log executed SQL (go-gitea#3726) * Shows total tracked time in issue and milestone list (go-gitea#3341) * TRANSLATION * Improve English grammar and consistency (go-gitea#3614) * DEPLOYMENT * Allow Gitea to run as different USER in Docker (go-gitea#3961) * Provide compressed release binaries (go-gitea#3991) * Sign release binaries (go-gitea#4188)
No description provided.