Git-Mirrors/keepassxc
1
0
Fork 0
mirror of https://github.com/keepassxreboot/keepassxc.git synced 2024-10-01 01:26:01 -04:00
Code Issues Packages Projects Releases Wiki Activity

Passkeys: Fix RP ID validation

Browse Source
This commit is contained in:
varjolintu 2024-03-11 16:39:40 +02:00 committed by Jonathan White
parent 969d3f9b23
commit bd5984ca82
No known key found for this signature in database
GPG Key ID: 440FC65F2E0C6E01
3 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/browser/BrowserService.cpp
View File

@ -581,7 +581,7 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
} }
const auto excludeCredentials = credentialCreationOptions["excludeCredentials"].toArray(); const auto excludeCredentials = credentialCreationOptions["excludeCredentials"].toArray();
const auto rpId = publicKeyOptions["rp"]["id"].toString(); const auto rpId = credentialCreationOptions["rp"].toObject()["id"].toString();
const auto timeout = publicKeyOptions["timeout"].toInt(); const auto timeout = publicKeyOptions["timeout"].toInt();
const auto username = credentialCreationOptions["user"].toObject()["name"].toString(); const auto username = credentialCreationOptions["user"].toObject()["name"].toString();
const auto user = credentialCreationOptions["user"].toObject(); const auto user = credentialCreationOptions["user"].toObject();

11
src/browser/PasskeyUtils.cpp
View File

@ -109,14 +109,17 @@ int PasskeyUtils::validateRpId(const QJsonValue& rpIdValue, const QString& effec
return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH; return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;
} }
if (rpIdValue.isUndefined()) {
return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;
}
if (effectiveDomain.isEmpty()) { if (effectiveDomain.isEmpty()) {
return ERROR_PASSKEYS_ORIGIN_NOT_ALLOWED; return ERROR_PASSKEYS_ORIGIN_NOT_ALLOWED;
} }
// The RP ID defaults to being the caller's origin's effective domain unless the caller has explicitly set
// options.rp.id
if (rpIdValue.isUndefined() || rpIdValue.isNull()) {
*result = effectiveDomain;
return PASSKEYS_SUCCESS;
}
const auto rpId = rpIdValue.toString(); const auto rpId = rpIdValue.toString();
if (!isRegistrableDomainSuffix(rpId, effectiveDomain)) { if (!isRegistrableDomainSuffix(rpId, effectiveDomain)) {
return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH; return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;

11
tests/TestPasskeys.cpp
View File

@ -573,17 +573,18 @@ void TestPasskeys::testRpIdValidation()
QString result; QString result;
auto allowedIdentical = passkeyUtils()->validateRpId(QString("example.com"), QString("example.com"), &result); auto allowedIdentical = passkeyUtils()->validateRpId(QString("example.com"), QString("example.com"), &result);
QCOMPARE(result, QString("example.com")); QCOMPARE(result, QString("example.com"));
QVERIFY(allowedIdentical == 0); QVERIFY(allowedIdentical == PASSKEYS_SUCCESS);
result.clear(); result.clear();
auto allowedSubdomain = passkeyUtils()->validateRpId(QString("example.com"), QString("www.example.com"), &result); auto allowedSubdomain = passkeyUtils()->validateRpId(QString("example.com"), QString("www.example.com"), &result);
QCOMPARE(result, QString("example.com")); QCOMPARE(result, QString("example.com"));
QVERIFY(allowedSubdomain == 0); QVERIFY(allowedSubdomain == PASSKEYS_SUCCESS);
result.clear(); result.clear();
auto emptyRpId = passkeyUtils()->validateRpId({}, QString("example.com"), &result); QJsonValue emptyValue;
QCOMPARE(result, QString("")); auto emptyRpId = passkeyUtils()->validateRpId(emptyValue, QString("example.com"), &result);
QVERIFY(emptyRpId == ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH); QCOMPARE(result, QString("example.com"));
QVERIFY(emptyRpId == PASSKEYS_SUCCESS);
result.clear(); result.clear();
auto ipRpId = passkeyUtils()->validateRpId(QString("127.0.0.1"), QString("example.com"), &result); auto ipRpId = passkeyUtils()->validateRpId(QString("127.0.0.1"), QString("example.com"), &result);