This is an automated email from the ASF dual-hosted git repository.
lahirujayathilake pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airavata-portals.git
The following commit(s) were added to refs/heads/main by this push:
new c61e1eee2 fix password reset vulnerability
c61e1eee2 is described below
commit c61e1eee2e330af36ecd33cc578538cbc5d4d980
Author: lahiruj <[email protected]>
AuthorDate: Thu Oct 16 13:42:57 2025 -0400
fix password reset vulnerability
---
airavata-php-gateway/app/libraries/EmailUtilities.php | 12 ++++++------
airavata-php-gateway/routes/web.php | 12 ++++++------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/airavata-php-gateway/app/libraries/EmailUtilities.php
b/airavata-php-gateway/app/libraries/EmailUtilities.php
index 49d705813..5cc59b543 100644
--- a/airavata-php-gateway/app/libraries/EmailUtilities.php
+++ b/airavata-php-gateway/app/libraries/EmailUtilities.php
@@ -7,7 +7,7 @@ class EmailUtilities
public static function sendVerifyEmailAccount($username, $firstName,
$lastName, $email){
$portalConfig = Config::get('pga_config.portal');
$validTime = isset($portalConfig['mail-verify-code-valid-time']) ?
$portalConfig['mail-verify-code-valid-time'] : 30;
- $code = uniqid();
+ $code = bin2hex(random_bytes(32));
Cache::put('PGA-VERIFY-EMAIL-' . $username, $code, $validTime);
$emailTemplates = json_decode(File::get(app_path() .
'/config/email_templates.json'));
@@ -36,7 +36,7 @@ class EmailUtilities
if(Cache::has('PGA-VERIFY-EMAIL-' . $username)){
$storedCode = Cache::get('PGA-VERIFY-EMAIL-' . $username);
Cache::forget('PGA-VERIFY-EMAIL-' . $username);
- return $storedCode == $code;
+ return hash_equals($storedCode, $code);
}else{
return false;
}
@@ -45,7 +45,7 @@ class EmailUtilities
public static function sendVerifyUpdatedEmailAccount($username,
$firstName, $lastName, $email){
$portalConfig = Config::get('pga_config.portal');
$validTime = isset($portalConfig['mail-verify-code-valid-time']) ?
$portalConfig['mail-verify-code-valid-time'] : 30;
- $code = uniqid();
+ $code = bin2hex(random_bytes(32));
Cache::put('PGA-VERIFY-UPDATED-EMAIL-' . $username, $code, $validTime);
$emailTemplates = json_decode(File::get(app_path() .
'/config/email_templates.json'));
@@ -74,7 +74,7 @@ class EmailUtilities
if(Cache::has('PGA-VERIFY-UPDATED-EMAIL-' . $username)){
$storedCode = Cache::get('PGA-VERIFY-UPDATED-EMAIL-' . $username);
Cache::forget('PGA-VERIFY-UPDATED-EMAIL-' . $username);
- return $storedCode == $code;
+ return hash_equals($storedCode, $code);
}else{
return false;
}
@@ -84,7 +84,7 @@ class EmailUtilities
public static function sendPasswordResetEmail($username, $firstName,
$lastName, $email){
$portalConfig = Config::get('pga_config.portal');
$validTime = isset($portalConfig['mail-verify-code-valid-time']) ?
$portalConfig['mail-verify-code-valid-time'] : 30;
- $code = uniqid();
+ $code = bin2hex(random_bytes(32));
Cache::put('PGA-RESET-PASSWORD-' . $username, $code, $validTime);
$emailTemplates = json_decode(File::get(app_path() .
'/config/email_templates.json'));
@@ -113,7 +113,7 @@ class EmailUtilities
if(Cache::has('PGA-RESET-PASSWORD-' . $username)){
$storedCode = Cache::get('PGA-RESET-PASSWORD-' . $username);
Cache::forget('PGA-RESET-PASSWORD-' . $username);
- return $storedCode == $code;
+ return hash_equals($storedCode, $code);
}else{
return false;
}
diff --git a/airavata-php-gateway/routes/web.php
b/airavata-php-gateway/routes/web.php
index 6a8dad48b..e58bd3c7b 100644
--- a/airavata-php-gateway/routes/web.php
+++ b/airavata-php-gateway/routes/web.php
@@ -30,11 +30,11 @@ Route::get('callback-url', [AccountController::class,
'oauthCallback']);
Route::get('logout', [AccountController::class, 'logout']);
Route::post('api-login', [AccountController::class, 'apiLoginSubmit']);
Route::get('forgot-password', [AccountController::class, 'forgotPassword']);
-Route::get('reset-password', [AccountController::class, 'resetPassword']);
-Route::post('reset-password', [AccountController::class,
'resetPasswordSubmit']);
-Route::post('forgot-password', [AccountController::class,
'forgotPasswordSubmit']);
-Route::get('confirm-user-registration', [AccountController::class,
'confirmAccountCreation']);
-Route::post('confirm-user-registration', [AccountController::class,
'confirmAccountCreation']);
+Route::get('reset-password', [AccountController::class,
'resetPassword'])->middleware('throttle:5,10');
+Route::post('reset-password', [AccountController::class,
'resetPasswordSubmit'])->middleware('throttle:5,10');
+Route::post('forgot-password', [AccountController::class,
'forgotPasswordSubmit'])->middleware('throttle:3,10');
+Route::get('confirm-user-registration', [AccountController::class,
'confirmAccountCreation'])->middleware('throttle:10,10');
+Route::post('confirm-user-registration', [AccountController::class,
'confirmAccountCreation'])->middleware('throttle:10,10');
Route::get('setUserTimezone', function () {
Session::put('user_timezone', request('timezone'));
});
@@ -57,7 +57,7 @@ Route::get('account/user-profile',
[UserSettingsController::class, 'getUserProfi
Route::post('account/user-profile', [UserSettingsController::class,
'updateUserProfile']);
Route::get('account/user-profile-update-email',
[UserSettingsController::class, 'showUpdateEmailView']);
Route::post('account/user-profile-update-email',
[UserSettingsController::class, 'submitUpdateEmail']);
-Route::get('user-profile-confirm-email', [UserSettingsController::class,
'confirmUpdateEmail']);
+Route::get('user-profile-confirm-email', [UserSettingsController::class,
'confirmUpdateEmail'])->middleware('throttle:10,10');
Route::get('project/create', [ProjectController::class, 'createView']);
Route::post('project/create', [ProjectController::class, 'createSubmit']);
Route::get('project/summary', [ProjectController::class, 'summary']);
