Prevent security failure due to bad APP_ID (#18678)

zeripath · lunny · web-flow · commit 2f766082214e · 2022-02-09T15:37:58.000+08:00
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton &lt;art27@cantab.net&gt;

Co-authored-by: Lunny Xiao &lt;xiaolunwen@gmail.com&gt;
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -1061,11 +1061,14 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	}
 
 	// FIXME: DEPRECATED to be removed in v1.18.0
+	U2F.AppID = strings.TrimSuffix(AppURL, "/")
 	if Cfg.Section("U2F").HasKey("APP_ID") {
 		log.Error("Deprecated setting `[U2F]` `APP_ID` present. This fallback will be removed in v1.18.0")
+		U2F.AppID = Cfg.Section("U2F").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
+	} else if Cfg.Section("u2f").HasKey("APP_ID") {
+		log.Error("Deprecated setting `[u2]` `APP_ID` present. This fallback will be removed in v1.18.0")
+		U2F.AppID = Cfg.Section("u2f").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
 	}
-	sec = Cfg.Section("U2F")
-	U2F.AppID = sec.Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
 }
 
 func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
@@ -24,6 +24,19 @@ export function initUserAuthWebAuthn() {
         .then((credential) => {
           verifyAssertion(credential);
         }).catch((err) => {
+          // Try again... without the appid
+          if (makeAssertionOptions.publicKey.extensions && makeAssertionOptions.publicKey.extensions.appid) {
+            delete makeAssertionOptions.publicKey.extensions['appid'];
+            navigator.credentials.get({
+              publicKey: makeAssertionOptions.publicKey
+            })
+              .then((credential) => {
+                verifyAssertion(credential);
+              }).catch((err) => {
+                webAuthnError('general', err.message);
+              });
+            return;
+          }
           webAuthnError('general', err.message);
         });
     }).fail(() => {

Original file line number	Diff line number	Diff line change
`@@ -1061,11 +1061,14 @@ func loadFromConf(allowEmpty bool, extraConfig string) {`
`1061`	`1061`	`}`
`1062`	`1062`
`1063`	`1063`	`// FIXME: DEPRECATED to be removed in v1.18.0`
	`1064`	`+ U2F.AppID = strings.TrimSuffix(AppURL, "/")`
`1064`	`1065`	`if Cfg.Section("U2F").HasKey("APP_ID") {`
`1065`	`1066`	log.Error("Deprecated setting `[U2F]` `APP_ID` present. This fallback will be removed in v1.18.0")
	`1067`	`+ U2F.AppID = Cfg.Section("U2F").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))`
	`1068`	`+ } else if Cfg.Section("u2f").HasKey("APP_ID") {`
	`1069`	+ log.Error("Deprecated setting `[u2]` `APP_ID` present. This fallback will be removed in v1.18.0")
	`1070`	`+ U2F.AppID = Cfg.Section("u2f").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))`
`1066`	`1071`	`}`
`1067`		`- sec = Cfg.Section("U2F")`
`1068`		`- U2F.AppID = sec.Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))`
`1069`	`1072`	`}`
`1070`	`1073`
`1071`	`1074`	`func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {`