From 9c8945141c19f846e76b7f4463579f9319e5254e Mon Sep 17 00:00:00 2001 From: netkas Date: Wed, 12 Mar 2025 14:14:03 -0400 Subject: [PATCH] Refactor SettingsUpdatePassword and PasswordManager to improve password validation and ensure UUID integrity https://github.com/nosial/Socialbox-PHP/issues/70 --- .../Settings/SettingsUpdatePassword.php | 15 +-------------- src/Socialbox/Managers/PasswordManager.php | 11 ++++++++++- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/src/Socialbox/Classes/StandardMethods/Settings/SettingsUpdatePassword.php b/src/Socialbox/Classes/StandardMethods/Settings/SettingsUpdatePassword.php index 3127648..ccc96c7 100644 --- a/src/Socialbox/Classes/StandardMethods/Settings/SettingsUpdatePassword.php +++ b/src/Socialbox/Classes/StandardMethods/Settings/SettingsUpdatePassword.php @@ -3,11 +3,9 @@ namespace Socialbox\Classes\StandardMethods\Settings; use Socialbox\Abstracts\Method; - use Socialbox\Classes\Cryptography; use Socialbox\Enums\StandardError; use Socialbox\Exceptions\CryptographyException; use Socialbox\Exceptions\DatabaseOperationException; - use Socialbox\Exceptions\Standard\InvalidRpcArgumentException; use Socialbox\Exceptions\Standard\MissingRpcArgumentException; use Socialbox\Exceptions\Standard\StandardRpcException; use Socialbox\Interfaces\SerializableInterface; @@ -26,22 +24,11 @@ { throw new MissingRpcArgumentException('password'); } - - if(!Cryptography::validatePasswordHash($rpcRequest->getParameter('password'))) - { - throw new InvalidRpcArgumentException('password', 'Must be a valid argon2id hash'); - } - if(!$rpcRequest->containsParameter('existing_password')) { throw new MissingRpcArgumentException('existing_password'); } - if(!Cryptography::validateSha512($rpcRequest->getParameter('existing_password'))) - { - throw new InvalidRpcArgumentException('existing_password', 'Must be a valid SHA-512 hash'); - } - try { if (!PasswordManager::usesPassword($request->getPeer()->getUuid())) @@ -73,7 +60,7 @@ try { // Set the password - PasswordManager::updatePassword($request->getPeer(), $rpcRequest->getParameter('password')); + PasswordManager::updatePassword($request->getPeer(), (string)$rpcRequest->getParameter('password')); } catch(CryptographyException $e) { diff --git a/src/Socialbox/Managers/PasswordManager.php b/src/Socialbox/Managers/PasswordManager.php index 4966dc3..2eaf6ab 100644 --- a/src/Socialbox/Managers/PasswordManager.php +++ b/src/Socialbox/Managers/PasswordManager.php @@ -3,6 +3,7 @@ namespace Socialbox\Managers; use DateTime; + use InvalidArgumentException; use PDO; use PDOException; use Socialbox\Classes\Configuration; @@ -28,6 +29,10 @@ { $peerUuid = $peerUuid->getUuid(); } + elseif(!Validator::validateUuid($peerUuid)) + { + throw new InvalidArgumentException('The given internal peer UUID is not a valid UUID V4'); + } try { @@ -97,10 +102,14 @@ { $peerUuid = $peerUuid->getUuid(); } + elseif(!Validator::validateUuid($peerUuid)) + { + throw new CryptographyException('The given internal peer UUID is not a valid UUID V4'); + } if(!Cryptography::validatePasswordHash($hash)) { - throw new CryptographyException('Invalid password hash'); + throw new CryptographyException('Invalid password argon2id hash'); } $encryptionKey = Configuration::getCryptographyConfiguration()->getRandomInternalEncryptionKey();