From 63ebe2f19727104696eb026aaed124267f3d2097 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Fri, 21 Jul 2023 22:39:59 +0900 Subject: [PATCH 1/4] Add test for bad challenge --- test/net/imap/test_imap_authenticators.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/net/imap/test_imap_authenticators.rb b/test/net/imap/test_imap_authenticators.rb index 3ca53f1f..e838b8a2 100644 --- a/test/net/imap/test_imap_authenticators.rb +++ b/test/net/imap/test_imap_authenticators.rb @@ -153,4 +153,11 @@ def test_digest_md5_authenticator ) ) end + + def test_digest_md5_authenticator_garbage + auth = digest_md5("user", "pass") + assert_raise(Net::IMAP::DataFormatError) do + auth.process('.') + end + end end From 2a85ac157cdf1747c08f172cd8a598cfa8772071 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Fri, 21 Jul 2023 22:41:13 +0900 Subject: [PATCH 2/4] Fix `NoMethodError` when "qop" is not present --- lib/net/imap/authenticators/digest_md5.rb | 2 +- test/net/imap/test_imap_authenticators.rb | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/net/imap/authenticators/digest_md5.rb b/lib/net/imap/authenticators/digest_md5.rb index aa4e88a1..b31bda4f 100644 --- a/lib/net/imap/authenticators/digest_md5.rb +++ b/lib/net/imap/authenticators/digest_md5.rb @@ -26,7 +26,7 @@ def process(challenge) sparams[k] = v end - raise Net::IMAP::DataFormatError, "Bad Challenge: '#{challenge}'" unless c.eos? + raise Net::IMAP::DataFormatError, "Bad Challenge: '#{challenge}'" unless c.eos? and sparams['qop'] raise Net::IMAP::Error, "Server does not support auth (qop = #{sparams['qop'].join(',')})" unless sparams['qop'].include?("auth") response = { diff --git a/test/net/imap/test_imap_authenticators.rb b/test/net/imap/test_imap_authenticators.rb index e838b8a2..6bb111c0 100644 --- a/test/net/imap/test_imap_authenticators.rb +++ b/test/net/imap/test_imap_authenticators.rb @@ -160,4 +160,11 @@ def test_digest_md5_authenticator_garbage auth.process('.') end end + + def test_digest_md5_authenticator_no_qop + auth = digest_md5("user", "pass") + assert_raise(Net::IMAP::DataFormatError) do + auth.process('Qop=""') + end + end end From c92ed92c8cec6a0c68dbcd7d8ca977ace97e862e Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Fri, 21 Jul 2023 23:08:03 +0900 Subject: [PATCH 3/4] Remove nested quantifier https://hackerone.com/reports/660822 --- lib/net/imap/authenticators/digest_md5.rb | 2 +- test/net/imap/test_imap_authenticators.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/net/imap/authenticators/digest_md5.rb b/lib/net/imap/authenticators/digest_md5.rb index b31bda4f..86aae605 100644 --- a/lib/net/imap/authenticators/digest_md5.rb +++ b/lib/net/imap/authenticators/digest_md5.rb @@ -15,7 +15,7 @@ def process(challenge) @stage = STAGE_TWO sparams = {} c = StringScanner.new(challenge) - while c.scan(/(?:\s*,)?\s*(\w+)=("(?:[^\\"]+|\\.)*"|[^,]+)\s*/) + while c.scan(/(?:\s*,)?\s*(\w+)=("(?:[^\\"]|\\.)*"|[^,]+)\s*/) k, v = c[1], c[2] if v =~ /^"(.*)"$/ v = $1 diff --git a/test/net/imap/test_imap_authenticators.rb b/test/net/imap/test_imap_authenticators.rb index 6bb111c0..3ef15ab7 100644 --- a/test/net/imap/test_imap_authenticators.rb +++ b/test/net/imap/test_imap_authenticators.rb @@ -167,4 +167,14 @@ def test_digest_md5_authenticator_no_qop auth.process('Qop=""') end end + + def test_digest_md5_authenticator_illinear + pre = ->(n) {'qop="a' + ',x'*n} + assert_linear_performance([5, 10, 15, 20], pre: pre) do |challenge| + auth = digest_md5("user", "pass") + assert_raise(Net::IMAP::DataFormatError) do + auth.process(challenge) + end + end + end end From bd6817489e43a5ddab0bef14e3694d8e4f22839e Mon Sep 17 00:00:00 2001 From: nick evans Date: Wed, 26 Jul 2023 09:59:00 -0400 Subject: [PATCH 4/4] =?UTF-8?q?=E2=9C=85=20Mark=20assert=5Flinear=5Fperfor?= =?UTF-8?q?mance=20test=20as=20pending?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is marked as pending in the backports branch because test-unit-ruby-core from git (added by #151) doesn't work with ruby 2.6. --- test/net/imap/test_imap_authenticators.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/test/net/imap/test_imap_authenticators.rb b/test/net/imap/test_imap_authenticators.rb index 3ef15ab7..119b22b7 100644 --- a/test/net/imap/test_imap_authenticators.rb +++ b/test/net/imap/test_imap_authenticators.rb @@ -169,6 +169,7 @@ def test_digest_md5_authenticator_no_qop end def test_digest_md5_authenticator_illinear + pend "Need to backport #151 for assert_linear_performance" pre = ->(n) {'qop="a' + ',x'*n} assert_linear_performance([5, 10, 15, 20], pre: pre) do |challenge| auth = digest_md5("user", "pass")