[Rt-commit] rt branch 4.4/security-tests-2021 created. rt-4.4.6-6-gc39b3438b5
BPS Git Server
git at git.bestpractical.com
Thu Jul 14 21:21:18 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 4.4/security-tests-2021 has been created
at c39b3438b51a94ef56340c2e1d3aab8930a5e008 (commit)
- Log -----------------------------------------------------------------
commit c39b3438b51a94ef56340c2e1d3aab8930a5e008
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jul 15 05:09:52 2022 +0800
Add security tests for vulnerabilities released between 2014 and 2021
This includes tests for:
CVE-2014-9472: mailgate dos
CVE-2021-38562: side channel attack
diff --git a/t/security/CVE-2014-9472-decode-dos.t b/t/security/CVE-2014-9472-decode-dos.t
new file mode 100644
index 0000000000..8bdce7d8bb
--- /dev/null
+++ b/t/security/CVE-2014-9472-decode-dos.t
@@ -0,0 +1,45 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+plan skip_all => "Requires perl >= 5.14.0 to generate the warnings"
+ if $] lt '5.014';
+
+my $mail = <<'EOF';
+From: root at localhost
+To: rt at localhost
+Subject: Testing
+Content-Type: text/plain; charset="utf-32LE"
+Content-Transfer-Encoding: base64
+
+EOF
+$mail .= (("F" x 76)."\r\n") x 100;
+
+# We do this via callback on the logger because it is otherwise hard to
+# know what got skipped by our $SIG{__WARN__}
+my @warnings;
+
+# Stop warnings from going to STDERR; even when passing, we expect this
+# to generate warnings.
+ok $RT::Logger->remove( 'rttest' );
+
+$RT::Logger->add_callback(
+ sub {
+ my (%args) = @_;
+ push @warnings, $args{message} if $args{level} eq "warning";
+ return $args{message};
+ }
+);
+
+my ($status, $id) = RT::Test->send_via_mailgate(
+ $mail,
+ queue => "general"
+);
+
+ok @warnings < 20, "There are up to a small number or warnings; got @{[@warnings+0]}";
+
+# Clear our the warnings to make Test::NoWarnings happy. We know we
+# generated some.
+Test::NoWarnings->clear_warnings;
+
+done_testing;
diff --git a/t/security/CVE-2021-38562-timing-side-channel.t b/t/security/CVE-2021-38562-timing-side-channel.t
new file mode 100644
index 0000000000..fa7a5a126e
--- /dev/null
+++ b/t/security/CVE-2021-38562-timing-side-channel.t
@@ -0,0 +1,54 @@
+use strict;
+use warnings;
+
+use RT::Test;
+use Time::HiRes qw(tv_interval gettimeofday);
+
+my ( $baseurl, $m ) = RT::Test->started_ok;
+
+my $existing_user = 'root';
+my $nonexistent_user = 'quux-cabbage';
+my $disabled_user = 'disabled';
+
+my $d = RT::Test->load_or_create_user(Name => 'disabled');
+$d->SetDisabled(1);
+$d->SetPassword('testing123ok');
+sub login
+{
+ my ($user) = @_;
+ my $t0 = [gettimeofday()];
+
+ $m->get($baseurl);
+ $m->submit_form(
+ form_id => 'login',
+ fields => {
+ user => $user,
+ pass => 'testing123ok',
+ }
+ );
+ $m->warning_like(qr/FAILED LOGIN for $user from/, 'Got expected warning');
+ return tv_interval($t0);
+}
+
+my $t_existing = 0.0;
+my $t_nonexisting = 0.0;
+my $t_disabled = 0.0;
+
+for (my $i=0; $i<20; $i++) {
+ $t_existing += login($existing_user);
+}
+for (my $i=0; $i<20; $i++) {
+ $t_nonexisting += login($nonexistent_user);
+}
+for (my $i=0; $i<20; $i++) {
+ $t_disabled += login($disabled_user);
+}
+
+ok ($t_existing >= 0.95 * $t_nonexisting && $t_nonexisting >= 0.95 * $t_existing,
+ "Login timings for existing and nonexisting users are within 5%");
+ok ($t_existing >= 0.95 * $t_disabled && $t_disabled >= 0.95 * $t_existing,
+ "Login timings for existing and disabled users are within 5%");
+ok ($t_nonexisting >= 0.95 * $t_disabled && $t_disabled >= 0.95 * $t_nonexisting,
+ "Login timings for nonexisting and disabled users are within 5%");
+
+done_testing();
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list