Fix critical security issue with misusing the Django Signer API

After the code was refactored to use the official Signer class the salt was passed wrongly as secret key, replacing the SECRET_KEY set in Django settings file. This allows, with verification enabled, to guess the signature by a potential attacker very easily. In reset password case, the guessing by attacker can be mitigated somewhat by using RESET_PASSWORD_VERIFICATION_ONE_TIME_USE but it leads to a different signature schema. This bug affects versions 0.2.*, 0.3.*, 0.4.*
apragacz · Jun 30, 2019 · 26d094f · 26d094f · mlissner · Jun 15, 2023
1 parent dd7a2a5
commit 26d094f
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 3 deletions.
diff --git a/rest_registration/verification.py b/rest_registration/verification.py
@@ -31,7 +31,7 @@ def __init__(self, data):
             data[self.TIMESTAMP_FIELD] = get_current_timestamp()
         self._data = data
         self._salt = self._calculate_salt(data)
-        self._signer = Signer(self._salt)
+        self._signer = Signer(salt=self._salt)
 
     def _calculate_signature(self, data):
         if self.SIGNATURE_FIELD in data:

diff --git a/tests/api/test_register.py b/tests/api/test_register.py
@@ -67,6 +67,27 @@ def test_no_password_ok(self):
         )
 
 
+@override_settings(REST_REGISTRATION=REST_REGISTRATION_WITH_VERIFICATION)
+class RegisterSignerTestCase(TestCase):
+
+    def test_signer_with_different_secret_keys(self):
+        user = self.create_test_user(is_active=False)
+        data_to_sign = {'user_id': user.pk}
+        secrets = [
+            '#0ka!t#6%28imjz+2t%l(()yu)tg93-1w%$du0*po)*@l+@+4h',
+            'feb7tjud7m=91$^mrk8dq&nz(0^!6+1xk)%gum#oe%(n)8jic7',
+        ]
+        signatures = []
+        for secret in secrets:
+            with override_settings(
+                    SECRET_KEY=secret):
+                signer = RegisterSigner(data_to_sign)
+                data = signer.get_signed_data()
+                signatures.append(data[signer.SIGNATURE_FIELD])
+
+        assert signatures[0] != signatures[1]
+
+
 def build_custom_verification_url(signer):
     base_url = signer.get_base_url()
     signed_data = signer.get_signed_data()

diff --git a/tests/api/test_register_email.py b/tests/api/test_register_email.py
@@ -6,7 +6,7 @@
 from rest_framework.test import force_authenticate
 
 from rest_registration.api.views.register_email import RegisterEmailSigner
-from tests.utils import shallow_merge_dicts
+from tests.utils import TestCase, shallow_merge_dicts
 
 from .base import APIViewTestCase
 
@@ -18,6 +18,31 @@
 }
 
 
+@override_settings(REST_REGISTRATION=REST_REGISTRATION_WITH_EMAIL_VERIFICATION)
+class RegisterEmailSignerTestCase(TestCase):
+
+    def test_signer_with_different_secret_keys(self):
+        email = 'testuser1@example.com'
+        user = self.create_test_user(is_active=False)
+        data_to_sign = {
+            'user_id': user.pk,
+            'email': email,
+        }
+        secrets = [
+            '#0ka!t#6%28imjz+2t%l(()yu)tg93-1w%$du0*po)*@l+@+4h',
+            'feb7tjud7m=91$^mrk8dq&nz(0^!6+1xk)%gum#oe%(n)8jic7',
+        ]
+        signatures = []
+        for secret in secrets:
+            with override_settings(
+                    SECRET_KEY=secret):
+                signer = RegisterEmailSigner(data_to_sign)
+                data = signer.get_signed_data()
+                signatures.append(data[signer.SIGNATURE_FIELD])
+
+        assert signatures[0] != signatures[1]
+
+
 class BaseRegisterEmailViewTestCase(APIViewTestCase):
 
     def setUp(self):

diff --git a/tests/api/test_reset_password.py b/tests/api/test_reset_password.py
@@ -6,7 +6,7 @@
 from rest_framework import status
 
 from rest_registration.api.views.reset_password import ResetPasswordSigner
-from tests.utils import shallow_merge_dicts
+from tests.utils import TestCase, shallow_merge_dicts
 
 from .base import APIViewTestCase
 
@@ -18,6 +18,27 @@
 }
 
 
+@override_settings(REST_REGISTRATION=REST_REGISTRATION_WITH_RESET_PASSWORD)
+class ResetPasswordSignerTestCase(TestCase):
+
+    def test_signer_with_different_secret_keys(self):
+        user = self.create_test_user(is_active=False)
+        data_to_sign = {'user_id': user.pk}
+        secrets = [
+            '#0ka!t#6%28imjz+2t%l(()yu)tg93-1w%$du0*po)*@l+@+4h',
+            'feb7tjud7m=91$^mrk8dq&nz(0^!6+1xk)%gum#oe%(n)8jic7',
+        ]
+        signatures = []
+        for secret in secrets:
+            with override_settings(
+                    SECRET_KEY=secret):
+                signer = ResetPasswordSigner(data_to_sign)
+                data = signer.get_signed_data()
+                signatures.append(data[signer.SIGNATURE_FIELD])
+
+        assert signatures[0] != signatures[1]
+
+
 @override_settings(
     REST_REGISTRATION=REST_REGISTRATION_WITH_RESET_PASSWORD,
 )