aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 14:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add code to check for the potential of session ID duplication during ID generation (#2075)

Browse Source 
* Add code to check for the potential of session ID duplication during ID generation
This commit is contained in:
Kevin Chung
2022-03-29 17:17:59 -04:00
committed by GitHub
parent fc7516c91f
commit 00bb891457
2 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CTFd/utils/sessions/__init__.py
View File

@@ -51,7 +51,12 @@ class CachingSessionInterface(SessionInterface):
session_class = CachedSession session_class = CachedSession
def _generate_sid(self): def _generate_sid(self):
return str(uuid4()) sid = str(uuid4())
v = cache.get(key=self.key_prefix + sid)
while v:
sid = str(uuid4())
v = cache.get(key=self.key_prefix + sid)
return sid
def __init__(self, key_prefix, use_signer=True, permanent=False): def __init__(self, key_prefix, use_signer=True, permanent=False):
self.key_prefix = key_prefix self.key_prefix = key_prefix

36
tests/utils/test_sessions.py
View File

@@ -1,3 +1,7 @@
from uuid import UUID
from mock import Mock, patch
from tests.helpers import create_ctfd, destroy_ctfd, login_as_user, register_user from tests.helpers import create_ctfd, destroy_ctfd, login_as_user, register_user
@@ -60,3 +64,35 @@ def test_session_invalidation_on_user_password_change():
# They should not be logged out # They should not be logged out
assert r.status_code == 200 assert r.status_code == 200
destroy_ctfd(app) destroy_ctfd(app)
# @patch.object(uuid, 'uuid4', side_effect=TEST_UUIDS)
# @patch.object(uuid, 'uuid4')
def test_session_with_duplicate_session_id():
app = create_ctfd()
with app.app_context():
register_user(app)
register_user(app, name="user1", email="user1@examplectf.com")
TEST_UUIDS = [
# First user login successful
UUID("2d0ac3a8-b956-491a-9f53-d27cd33f2529"),
UUID("85e61378-5bc4-4cc8-a37e-b03270b7b172"),
# Second user gets a unique UUID then a duplicated one
UUID("c47c907f-d508-4f23-a28a-a1af1e9d3f27"),
UUID("85e61378-5bc4-4cc8-a37e-b03270b7b172"),
UUID("85e61378-5bc4-4cc8-a37e-b03270b7b172"),
UUID("85e61378-5bc4-4cc8-a37e-b03270b7b172"),
UUID("85e61378-5bc4-4cc8-a37e-b03270b7b172"),
UUID("85e61378-5bc4-4cc8-a37e-b03270b7b172"),
# Second user should finally receive a unique UUID
UUID("a00aff35-a12e-465a-8747-e18f78f60b13"),
UUID("da876038-7602-4bb0-88b8-f7104094219f"),
]
uuid_mock = Mock(side_effect=TEST_UUIDS)
with patch(target="CTFd.utils.sessions.uuid4", new=uuid_mock):
login_as_user(app)
with patch(target="CTFd.utils.sessions.uuid4", new=uuid_mock):
login_as_user(app, name="user1")
destroy_ctfd(app)