Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong OAuth anti-forgery unique session token generation #66

Open
pwargulak opened this issue Nov 17, 2022 · 0 comments
Open

Wrong OAuth anti-forgery unique session token generation #66

pwargulak opened this issue Nov 17, 2022 · 0 comments

Comments

@pwargulak
Copy link

pwargulak commented Nov 17, 2022

Hello,

there is this generate_state method in oauth.py:

def generate_state(self):
        """
        Generates a state which is required during the OAuth sign-in process
        """
        return jwt.encode(
            request.args.to_dict(flat=False),
            self.appbuilder.app.config["SECRET_KEY"],
            algorithm="HS256",
        )

It generates 'static' values for all sessions, meaning if you got one you will know values for all sessions for a server.

It seems the intention for this 'state' parameter is to be a CRSF protection, so it should be random.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant