Commit 717eaa6

authored

Merge pull request #3422 from cdr/jsjoeio/fix-password-hash

fix: use sufficient computational effort for password hash

2 parents d8c3ba6 + 1e55a64 commit 717eaa6Copy full SHA for 717eaa6

File tree

21 files changed

+1083

-69

lines changed

CHANGELOG.md
ci/build
- build-standalone-release.sh
- npm-postinstall.sh
docs
- FAQ.md
package.json
src/node
- cli.ts
- http.ts
- routes
- util.ts
test
- config.ts
- package.json
- unit
  - cli.test.ts
  - node
    - util.test.ts
- yarn.lock
typings
- pluginapi.d.ts
yarn.lock

21 files changed

+1083

-69

lines changed

`‎CHANGELOG.md‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ VS Code v0.00.0`
`59`	`59`	`- chore: cross-compile docker images with buildx #3166 @oxy`
`60`	`60`	`- chore: update node to v14 #3458 @oxy`
`61`	`61`	`- chore: update .gitignore #3557 @cuining`
	`62`	`+- fix: use sufficient computational effort for password hash #3422 @jsjoeio`
`62`	`63`
`63`	`64`	`### Development`
`64`	`65`

`‎ci/build/build-standalone-release.sh‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,10 @@`
`1`	`1`	`#!/usr/bin/env bash`
`2`	`2`	`set -euo pipefail`
`3`	`3`
	`4`	`+# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2`
	`5`	`+# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057`
	`6`	`+export npm_config_build_from_source=true`
	`7`	`+`
`4`	`8`	`main() {`
`5`	`9`	`cd "$(dirname "${0}")/../.."`
`6`	`10`	`source ./ci/lib.sh`

`‎ci/build/npm-postinstall.sh‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@ detect_arch() {`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`ARCH="${NPM_CONFIG_ARCH:-$(detect_arch)}"`
	`21`	`+# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2`
	`22`	`+# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057`
	`23`	`+export npm_config_build_from_source=true`
`21`	`24`
`22`	`25`	`main() {`
`23`	`26`	`# Grabs the major version of node from $npm_config_user_agent which looks like`

`‎docs/FAQ.md‎`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -205,17 +205,18 @@ Again, please follow [./guide.md](./guide.md) for our recommendations on setting`
`205`	`205`
`206`	`206`	Yes you can! Set the value of `hashed-password` instead of `password`. Generate the hash with:
`207`	`207`
`208`		-```
`209`		`-printf "thisismypassword" \| sha256sum \| cut -d' ' -f1`
	`208`	+```shell
	`209`	`+echo -n "password" \| npx argon2-cli -e`
	`210`	`+$argon2i$v=19$m=4096,t=3,p=1$wst5qhbgk2lu1ih4dmuxvg$ls1alrvdiwtvzhwnzcm1dugg+5dto3dt1d5v9xtlws4`
`210`	`211`	```
`211`	`212`
`212`		-Of course replace `thisismypassword` with your actual password.
	`213`	+Of course replace `thisismypassword` with your actual password and remember to put it inside quotes!
`213`	`214`
`214`	`215`	`Example:`
`215`	`216`
`216`	`217`	```yaml
`217`	`218`	`auth: password`
`218`		`-hashed-password: 1da9133ab9dbd11d2937ec8d312e1e2569857059e73cc72df92e670928983ab5 # You got this from the command above`
	`219`	`+hashed-password: "$argon2i$v=19$m=4096,t=3,p=1$wST5QhBgk2lu1ih4DMuxvg$LS1alrVdIWtvZHwnzCM1DUGg+5DTO3Dt1d5v9XtLws4"`
`219`	`220`	```
`220`	`221`
`221`	`222`	`## How do I securely access web services?`

`‎package.json‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@`
`88`	`88`	`},`
`89`	`89`	`"dependencies": {`
`90`	`90`	`"@coder/logger": "1.1.16",`
	`91`	`+ "argon2": "^0.28.0",`
`91`	`92`	`"body-parser": "^1.19.0",`
`92`	`93`	`"compression": "^1.7.4",`
`93`	`94`	`"cookie-parser": "^1.4.5",`

`‎src/node/cli.ts‎`

Lines changed: 16 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,7 @@ const options: Options<Required<Args>> = {`
`114`	`114`	`"hashed-password": {`
`115`	`115`	`type: "string",`
`116`	`116`	`description:`
`117`		`- "The password hashed with SHA-256 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +`
	`117`	`+ "The password hashed with argon2 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +`
`118`	`118`	`"Takes precedence over 'password'.",`
`119`	`119`	`},`
`120`	`120`	`cert: {`
`@@ -240,6 +240,19 @@ export const optionDescriptions = (): string[] => {`
`240`	`240`	`})`
`241`	`241`	`}`
`242`	`242`
	`243`	`+export function splitOnFirstEquals(str: string): string[] {`
	`244`	`+ // we use regex instead of "=" to ensure we split at the first`
	`245`	`+ // "=" and return the following substring with it`
	`246`	`+ // important for the hashed-password which looks like this`
	`247`	`+ // $argon2i$v=19$m=4096,t=3,p=10ドルqR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY`
	`248`	`+ // 2 means return two items`
	`249`	`+ // Source: https://stackoverflow.com/a/4607799/3015595`
	`250`	`+ // We use the ? to say the the substr after the = is optional`
	`251`	`+ const split = str.split(/=(.+)?/, 2)`
	`252`	`+`
	`253`	`+ return split`
	`254`	`+}`
	`255`	`+`
`243`	`256`	`export const parse = (`
`244`	`257`	`argv: string[],`
`245`	`258`	`opts?: {`
`@@ -250,6 +263,7 @@ export const parse = (`
`250`	`263`	`if (opts?.configFile) {`
`251`	`264`	msg = `error reading ${opts.configFile}: ${msg}`
`252`	`265`	`}`
	`266`	`+`
`253`	`267`	`return new Error(msg)`
`254`	`268`	`}`
`255`	`269`
`@@ -270,7 +284,7 @@ export const parse = (`
`270`	`284`	`let key: keyof Args \| undefined`
`271`	`285`	`let value: string \| undefined`
`272`	`286`	`if (arg.startsWith("--")) {`
`273`		`- const split = arg.replace(/^--/, "").split("=",2)`
	`287`	`+ const split = splitOnFirstEquals(arg.replace(/^--/, ""))`
`274`	`288`	`key = split[0] as keyof Args`
`275`	`289`	`value = split[1]`
`276`	`290`	`} else {`

`‎src/node/http.ts‎`

Lines changed: 25 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,13 +2,12 @@ import { field, logger } from "@coder/logger"`
`2`	`2`	`import * as express from "express"`
`3`	`3`	`import * as expressCore from "express-serve-static-core"`
`4`	`4`	`import qs from "qs"`
`5`		`-import safeCompare from "safe-compare"`
`6`	`5`	`import { HttpCode, HttpError } from "../common/http"`
`7`	`6`	`import { normalize, Options } from "../common/util"`
`8`	`7`	`import { AuthType, DefaultedArgs } from "./cli"`
`9`	`8`	`import { commit, rootPath } from "./constants"`
`10`	`9`	`import { Heart } from "./heart"`
`11`		`-import { hash } from "./util"`
	`10`	`+import { getPasswordMethod,IsCookieValidArgs,isCookieValid,sanitizeString } from "./util"`
`12`	`11`
`13`	`12`	`declare global {`
`14`	`13`	`// eslint-disable-next-line @typescript-eslint/no-namespace`
`@@ -45,8 +44,13 @@ export const replaceTemplates = <T extends object>(`
`45`	`44`	`/**`
`46`	`45`	* Throw an error if not authorized. Call `next` if provided.
`47`	`46`	`*/`
`48`		`-export const ensureAuthenticated = (req: express.Request, _?: express.Response, next?: express.NextFunction): void => {`
`49`		`- if (!authenticated(req)) {`
	`47`	`+export const ensureAuthenticated = async (`
	`48`	`+ req: express.Request,`
	`49`	`+ _?: express.Response,`
	`50`	`+ next?: express.NextFunction,`
	`51`	`+): Promise<void> => {`
	`52`	`+ const isAuthenticated = await authenticated(req)`
	`53`	`+ if (!isAuthenticated) {`
`50`	`54`	`throw new HttpError("Unauthorized", HttpCode.Unauthorized)`
`51`	`55`	`}`
`52`	`56`	`if (next) {`
`@@ -57,20 +61,27 @@ export const ensureAuthenticated = (req: express.Request, _?: express.Response,`
`57`	`61`	`/**`
`58`	`62`	`* Return true if authenticated via cookies.`
`59`	`63`	`*/`
`60`		`-export const authenticated = (req: express.Request): boolean => {`
	`64`	`+export const authenticated = async(req: express.Request): Promise<boolean> => {`
`61`	`65`	`switch (req.args.auth) {`
`62`		`- case AuthType.None:`
	`66`	`+ case AuthType.None:{`
`63`	`67`	`return true`
`64`		`- case AuthType.Password:`
	`68`	`+ }`
	`69`	`+ case AuthType.Password: {`
`65`	`70`	`// The password is stored in the cookie after being hashed.`
`66`		`- return !!(`
`67`		`- req.cookies.key &&`
`68`		`- (req.args["hashed-password"]`
`69`		`- ? safeCompare(req.cookies.key, req.args["hashed-password"])`
`70`		`- : req.args.password && safeCompare(req.cookies.key, hash(req.args.password)))`
`71`		`- )`
`72`		`- default:`
	`71`	`+ const hashedPasswordFromArgs = req.args["hashed-password"]`
	`72`	`+ const passwordMethod = getPasswordMethod(hashedPasswordFromArgs)`
	`73`	`+ const isCookieValidArgs: IsCookieValidArgs = {`
	`74`	`+ passwordMethod,`
	`75`	`+ cookieKey: sanitizeString(req.cookies.key),`
	`76`	`+ passwordFromArgs: req.args.password \|\| "",`
	`77`	`+ hashedPasswordFromArgs: req.args["hashed-password"],`
	`78`	`+ }`
	`79`	`+`
	`80`	`+ return await isCookieValid(isCookieValidArgs)`
	`81`	`+ }`
	`82`	`+ default: {`
`73`	`83`	throw new Error(`Unsupported auth type ${req.args.auth}`)
	`84`	`+ }`
`74`	`85`	`}`
`75`	`86`	`}`
`76`	`87`

`‎src/node/routes/domainProxy.ts‎`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,14 +32,15 @@ const maybeProxy = (req: Request): string \| undefined => {`
`32`	`32`	`return port`
`33`	`33`	`}`
`34`	`34`
`35`		`-router.all("*", (req, res, next) => {`
	`35`	`+router.all("*", async(req, res, next) => {`
`36`	`36`	`const port = maybeProxy(req)`
`37`	`37`	`if (!port) {`
`38`	`38`	`return next()`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`// Must be authenticated to use the proxy.`
`42`		`- if (!authenticated(req)) {`
	`42`	`+ const isAuthenticated = await authenticated(req)`
	`43`	`+ if (!isAuthenticated) {`
`43`	`44`	`// Let the assets through since they're used on the login page.`
`44`	`45`	`if (req.path.startsWith("/static/") && req.method === "GET") {`
`45`	`46`	`return next()`
`@@ -73,14 +74,14 @@ router.all("*", (req, res, next) => {`
`73`	`74`
`74`	`75`	`export const wsRouter = WsRouter()`
`75`	`76`
`76`		`-wsRouter.ws("*", (req, _, next) => {`
	`77`	`+wsRouter.ws("*", async(req, _, next) => {`
`77`	`78`	`const port = maybeProxy(req)`
`78`	`79`	`if (!port) {`
`79`	`80`	`return next()`
`80`	`81`	`}`
`81`	`82`
`82`	`83`	`// Must be authenticated to use the proxy.`
`83`		`- ensureAuthenticated(req)`
	`84`	`+ awaitensureAuthenticated(req)`
`84`	`85`
`85`	`86`	`proxy.ws(req, req.ws, req.head, {`
`86`	`87`	`ignorePath: true,`

`‎src/node/routes/index.ts‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -98,8 +98,8 @@ export const register = async (`
`98`	`98`	`app.all("/proxy/(:port)(/*)?", (req, res) => {`
`99`	`99`	`pathProxy.proxy(req, res)`
`100`	`100`	`})`
`101`		`- wsApp.get("/proxy/(:port)(/*)?", (req) => {`
`102`		`- pathProxy.wsProxy(req as pluginapi.WebsocketRequest)`
	`101`	`+ wsApp.get("/proxy/(:port)(/*)?", async(req) => {`
	`102`	`+ awaitpathProxy.wsProxy(req as pluginapi.WebsocketRequest)`
`103`	`103`	`})`
`104`	`104`	`// These two routes pass through the path directly.`
`105`	`105`	`// So the proxied app must be aware it is running`
`@@ -109,8 +109,8 @@ export const register = async (`
`109`	`109`	`passthroughPath: true,`
`110`	`110`	`})`
`111`	`111`	`})`
`112`		`- wsApp.get("/absproxy/(:port)(/*)?", (req) => {`
`113`		`- pathProxy.wsProxy(req as pluginapi.WebsocketRequest, {`
	`112`	`+ wsApp.get("/absproxy/(:port)(/*)?", async(req) => {`
	`113`	`+ awaitpathProxy.wsProxy(req as pluginapi.WebsocketRequest, {`
`114`	`114`	`passthroughPath: true,`
`115`	`115`	`})`
`116`	`116`	`})`

`‎src/node/routes/login.ts‎`

Lines changed: 17 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,9 @@ import { Router, Request } from "express"`
`2`	`2`	`import { promises as fs } from "fs"`
`3`	`3`	`import { RateLimiter as Limiter } from "limiter"`
`4`	`4`	`import * as path from "path"`
`5`		`-import safeCompare from "safe-compare"`
`6`	`5`	`import { rootPath } from "../constants"`
`7`	`6`	`import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"`
`8`		`-import { hash,humanPath } from "../util"`
	`7`	`+import { getPasswordMethod,handlePasswordValidation,humanPath,sanitizeString } from "../util"`
`9`	`8`
`10`	`9`	`export enum Cookie {`
`11`	`10`	`Key = "key",`
`@@ -49,9 +48,9 @@ const limiter = new RateLimiter()`
`49`	`48`
`50`	`49`	`export const router = Router()`
`51`	`50`
`52`		`-router.use((req, res, next) => {`
	`51`	`+router.use(async(req, res, next) => {`
`53`	`52`	`const to = (typeof req.query.to === "string" && req.query.to) \|\| "/"`
`54`		`- if (authenticated(req)) {`
	`53`	`+ if (awaitauthenticated(req)) {`
`55`	`54`	`return redirect(req, res, to, { to: undefined })`
`56`	`55`	`}`
`57`	`56`	`next()`
`@@ -62,24 +61,31 @@ router.get("/", async (req, res) => {`
`62`	`61`	`})`
`63`	`62`
`64`	`63`	`router.post("/", async (req, res) => {`
	`64`	`+ const password = sanitizeString(req.body.password)`
	`65`	`+ const hashedPasswordFromArgs = req.args["hashed-password"]`
	`66`	`+`
`65`	`67`	`try {`
`66`	`68`	`// Check to see if they exceeded their login attempts`
`67`	`69`	`if (!limiter.canTry()) {`
`68`	`70`	`throw new Error("Login rate limited!")`
`69`	`71`	`}`
`70`	`72`
`71`		`- if (!req.body.password) {`
	`73`	`+ if (!password) {`
`72`	`74`	`throw new Error("Missing password")`
`73`	`75`	`}`
`74`	`76`
`75`		`- if (`
`76`		`- req.args["hashed-password"]`
`77`		`- ? safeCompare(hash(req.body.password), req.args["hashed-password"])`
`78`		`- : req.args.password && safeCompare(req.body.password, req.args.password)`
`79`		`- ) {`
	`77`	`+ const passwordMethod = getPasswordMethod(hashedPasswordFromArgs)`
	`78`	`+ const { isPasswordValid, hashedPassword } = await handlePasswordValidation({`
	`79`	`+ passwordMethod,`
	`80`	`+ hashedPasswordFromArgs,`
	`81`	`+ passwordFromRequestBody: password,`
	`82`	`+ passwordFromArgs: req.args.password,`
	`83`	`+ })`
	`84`	`+`
	`85`	`+ if (isPasswordValid) {`
`80`	`86`	`// The hash does not add any actual security but we do it for`
`81`	`87`	`// obfuscation purposes (and as a side effect it handles escaping).`
`82`		`- res.cookie(Cookie.Key, hash(req.body.password), {`
	`88`	`+ res.cookie(Cookie.Key, hashedPassword, {`
`83`	`89`	`domain: getCookieDomain(req.headers.host \|\| "", req.args["proxy-domain"]),`
`84`	`90`	`path: req.body.base \|\| "/",`
`85`	`91`	`sameSite: "lax",`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 717eaa6

File tree

21 files changed

21 files changed

`‎CHANGELOG.md‎`

`‎ci/build/build-standalone-release.sh‎`

`‎ci/build/npm-postinstall.sh‎`

`‎docs/FAQ.md‎`

`‎package.json‎`

`‎src/node/cli.ts‎`

`‎src/node/http.ts‎`

`‎src/node/routes/domainProxy.ts‎`

`‎src/node/routes/index.ts‎`

`‎src/node/routes/login.ts‎`

0 commit comments