themaster1970sf/TShock
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Updated REST to use an RNGCryptoServiceProvider for more secure random numbers involved in token generation.

Browse source 
Also removes some unnecessary limitations.
Closes #1388
This commit is contained in:
White 2017-01-31 11:25:59 +10:30
parent 94fb0e18b7
commit 26010c0acf
1 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
TShockAPI/Rest/SecureRest.cs
View file

@ -25,6 +25,7 @@ using TShockAPI;
using TShockAPI.DB;
using Microsoft.Xna.Framework;
using Terraria;
using System.Security.Cryptography;
namespace Rests
{
@ -41,6 +42,8 @@ namespace Rests
public Dictionary<string, TokenData> Tokens { get; protected set; }
public Dictionary<string, TokenData> AppTokens { get; protected set; }
private RNGCryptoServiceProvider _rng = new RNGCryptoServiceProvider();
public SecureRest(IPAddress ip, int port)
: base(ip, port)
{
@ -112,7 +115,7 @@ namespace Rests
int tokens = 0;
if (tokenBucket.TryGetValue(context.RemoteEndPoint.Address.ToString(), out tokens))
{
if (tokens >= Math.Max(TShock.Config.RESTMaximumRequestsPerInterval, 5))
if (tokens >= TShock.Config.RESTMaximumRequestsPerInterval)
{
TShock.Log.ConsoleError("A REST login from {0} was blocked as it currently has {1} tokens", context.RemoteEndPoint.Address.ToString(), tokens);
tokenBucket[context.RemoteEndPoint.Address.ToString()] += 1; // Tokens over limit, increment by one and reject request
@ -121,8 +124,7 @@ namespace Rests
Error = "Username or password may be incorrect or this account may not have sufficient privileges."
};
}
if (!TShock.Config.RESTLimitOnlyFailedLoginRequests)
tokenBucket[context.RemoteEndPoint.Address.ToString()] += 1; // Tokens under limit, increment by one and process request
tokenBucket[context.RemoteEndPoint.Address.ToString()] += 1; // Tokens under limit, increment by one and process request
}
else
{
@ -150,13 +152,12 @@ namespace Rests
return new RestObject("403")
{ Error = "Username or password may be incorrect or this account may not have sufficient privileges." };
}
string tokenHash;
var rand = new Random();
var randbytes = new byte[32];
do
{
rand.NextBytes(randbytes);
_rng.GetBytes(randbytes);
tokenHash = randbytes.Aggregate("", (s, b) => s + b.ToString("X2"));
} while (Tokens.ContainsKey(tokenHash));