[Rt-commit] rt branch 4.4/security-tests-2021 created. rt-4.4.6-6-gc39b3438b5

BPS Git Server git at git.bestpractical.com
Thu Jul 14 21:21:18 UTC 2022


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 4.4/security-tests-2021 has been created
        at  c39b3438b51a94ef56340c2e1d3aab8930a5e008 (commit)

- Log -----------------------------------------------------------------
commit c39b3438b51a94ef56340c2e1d3aab8930a5e008
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jul 15 05:09:52 2022 +0800

    Add security tests for vulnerabilities released between 2014 and 2021
    
    This includes tests for:
    
        CVE-2014-9472: mailgate dos
        CVE-2021-38562: side channel attack

diff --git a/t/security/CVE-2014-9472-decode-dos.t b/t/security/CVE-2014-9472-decode-dos.t
new file mode 100644
index 0000000000..8bdce7d8bb
--- /dev/null
+++ b/t/security/CVE-2014-9472-decode-dos.t
@@ -0,0 +1,45 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+plan skip_all => "Requires perl >= 5.14.0 to generate the warnings"
+    if $] lt '5.014';
+
+my $mail = <<'EOF';
+From: root at localhost
+To: rt at localhost
+Subject: Testing
+Content-Type: text/plain; charset="utf-32LE"
+Content-Transfer-Encoding: base64
+
+EOF
+$mail .= (("F" x 76)."\r\n") x 100;
+
+# We do this via callback on the logger because it is otherwise hard to
+# know what got skipped by our $SIG{__WARN__}
+my @warnings;
+
+# Stop warnings from going to STDERR; even when passing, we expect this
+# to generate warnings.
+ok $RT::Logger->remove( 'rttest' );
+
+$RT::Logger->add_callback(
+    sub {
+        my (%args) = @_;
+        push @warnings, $args{message} if $args{level} eq "warning";
+        return $args{message};
+    }
+);
+
+my ($status, $id) = RT::Test->send_via_mailgate(
+    $mail,
+    queue => "general"
+);
+
+ok @warnings < 20, "There are up to a small number or warnings; got @{[@warnings+0]}";
+
+# Clear our the warnings to make Test::NoWarnings happy.  We know we
+# generated some.
+Test::NoWarnings->clear_warnings;
+
+done_testing;
diff --git a/t/security/CVE-2021-38562-timing-side-channel.t b/t/security/CVE-2021-38562-timing-side-channel.t
new file mode 100644
index 0000000000..fa7a5a126e
--- /dev/null
+++ b/t/security/CVE-2021-38562-timing-side-channel.t
@@ -0,0 +1,54 @@
+use strict;
+use warnings;
+
+use RT::Test;
+use Time::HiRes qw(tv_interval gettimeofday);
+
+my ( $baseurl, $m ) = RT::Test->started_ok;
+
+my $existing_user = 'root';
+my $nonexistent_user = 'quux-cabbage';
+my $disabled_user = 'disabled';
+
+my $d = RT::Test->load_or_create_user(Name => 'disabled');
+$d->SetDisabled(1);
+$d->SetPassword('testing123ok');
+sub login
+{
+    my ($user) = @_;
+    my $t0 = [gettimeofday()];
+
+    $m->get($baseurl);
+    $m->submit_form(
+        form_id => 'login',
+        fields  => {
+            user => $user,
+            pass => 'testing123ok',
+        }
+        );
+    $m->warning_like(qr/FAILED LOGIN for $user from/, 'Got expected warning');
+    return tv_interval($t0);
+}
+
+my $t_existing = 0.0;
+my $t_nonexisting = 0.0;
+my $t_disabled = 0.0;
+
+for (my $i=0; $i<20; $i++) {
+    $t_existing += login($existing_user);
+}
+for (my $i=0; $i<20; $i++) {
+    $t_nonexisting += login($nonexistent_user);
+}
+for (my $i=0; $i<20; $i++) {
+    $t_disabled += login($disabled_user);
+}
+
+ok ($t_existing >= 0.95 * $t_nonexisting && $t_nonexisting >= 0.95 * $t_existing,
+    "Login timings for existing and nonexisting users are within 5%");
+ok ($t_existing >= 0.95 * $t_disabled && $t_disabled >= 0.95 * $t_existing,
+    "Login timings for existing and disabled users are within 5%");
+ok ($t_nonexisting >= 0.95 * $t_disabled && $t_disabled >= 0.95 * $t_nonexisting,
+    "Login timings for nonexisting and disabled users are within 5%");
+
+done_testing();

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt


More information about the rt-commit mailing list