Skip to content

[1.x] Fix Throttle Bypass Exploit #354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 5, 2022
Merged

[1.x] Fix Throttle Bypass Exploit #354

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
22732cc
Bump support version to include transliteration
Feb 5, 2022
7e88b4b
Fix bug where users can bypass throttle using special characters
Feb 5, 2022
1e31887
Fix styling
Feb 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"php": "^7.3|^8.0",
"ext-json": "*",
"bacon/bacon-qr-code": "^2.0",
"illuminate/support": "^8.0|^9.0",
"illuminate/support": "^8.82|^9.0",
"pragmarx/google2fa": "^7.0|^8.0"
},
"require-dev": {
Expand Down
2 changes: 1 addition & 1 deletion src/LoginRateLimiter.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,6 @@ public function clear(Request $request)
*/
protected function throttleKey(Request $request)
{
return Str::lower($request->input(Fortify::username())).'|'.$request->ip();
return Str::transliterate(Str::lower($request->input(Fortify::username())).'|'.$request->ip());
}
}
36 changes: 36 additions & 0 deletions tests/AuthenticatedSessionControllerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@

namespace Laravel\Fortify\Tests;

use Illuminate\Cache\RateLimiter;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Foundation\Auth\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Event;
use Illuminate\Support\Facades\Schema;
Expand Down Expand Up @@ -143,6 +145,40 @@ public function test_login_attempts_are_throttled()
$response->assertJsonValidationErrors(['email']);
}

/**
* @dataProvider usernameProvider
*/
public function test_cant_bypass_throttle_with_special_characters(string $username, string $expectedResult)
{
$loginRateLimiter = new LoginRateLimiter(
$this->mock(RateLimiter::class)
);

$reflection = new \ReflectionClass($loginRateLimiter);
$method = $reflection->getMethod('throttleKey');
$method->setAccessible(true);

$request = $this->mock(
Request::class,
static function ($mock) use ($username) {
$mock->shouldReceive('input')->andReturn($username);
$mock->shouldReceive('ip')->andReturn('192.168.0.1');
}
);

self::assertSame($expectedResult.'|192.168.0.1', $method->invoke($loginRateLimiter, $request));
}

public function usernameProvider(): array
{
return [
'lowercase special characters' => ['ⓣⓔⓢⓣ@ⓛⓐⓡⓐⓥⓔⓛ.ⓒⓞⓜ', '[email protected]'],
'uppercase special characters' => ['ⓉⒺⓈⓉ@ⓁⒶⓇⒶⓋⒺⓁ.ⒸⓄⓂ', '[email protected]'],
'special character numbers' =>['test⑩⓸③@laravel.com', '[email protected]'],
'default email' => ['[email protected]', '[email protected]'],
];
}

public function test_the_user_can_logout_of_the_application()
{
Auth::guard()->setUser(
Expand Down