Skip to content

fix: prevent certain offset values to address out of hashBytes #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 15, 2025
Merged

fix: prevent certain offset values to address out of hashBytes #23

merged 1 commit into from
Feb 15, 2025

Conversation

@szabolcsnagy
Copy link
Contributor

The HMAC signature only contains 20 hashBytes and if the offset value is the maximum possible 15 the offset + 5 and greater indexes are out of bounds.
This PR will check if those are indexes are valid.

This is related to issue #21.

@szabolcsnagy
Copy link
Contributor Author

I can add tests, but I need to export generateHOTP because I need to fix the counter value to trigger the offset that is too high. Is it okay if I export that function?

kentcdodds
kentcdodds requested changes Feb 15, 2025
View reviewed changes
Copy link
Member

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you write a test to check for this bug? Make sure it fails without these changes.

@szabolcsnagy szabolcsnagy force-pushed the stay-compatible-with-auth-apps branch from 3960bd3 to 23aba32 Compare February 15, 2025 18:19
kentcdodds
kentcdodds approved these changes Feb 15, 2025
View reviewed changes
Copy link
Member

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@kentcdodds kentcdodds merged commit 3bf1701 into epicweb-dev:main Feb 15, 2025
2 checks passed
@github-actions
Copy link

🎉 This PR is included in version 3.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@kentcdodds
Copy link
Member

This has been reverted because it broke base 2fa functionality. I welcome a contribution which adds this back but does not break this test: 52dabf0

Sorry for the trouble and thank you!

@szabolcsnagy
Copy link
Contributor Author

Alright, I can look into it. I wonder if you tested the new version with an actual authenticator app. It doesn't seem to work for me with Google Authenticator.

@kentcdodds
Copy link
Member

Just tested with one password, and yes it is broken. We need your fix, and we need to make sure that we pass the automated test. At least we need to figure out what is wrong with the automated test.

@szabolcsnagy
Copy link
Contributor Author

I opened a PR that fix that issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kentcdodds kentcdodds kentcdodds approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@szabolcsnagy @kentcdodds