2
0
Fork 0
mirror of https://git.asonix.dog/asonix/pict-rs synced 2025-01-08 18:51:24 +00:00

Implement constant-time equality for delete tokens, inline alias cleanup

This commit is contained in:
asonix 2023-10-04 12:11:29 -05:00
parent d5a7e07118
commit 914e21c043
6 changed files with 11 additions and 4 deletions

1
Cargo.lock generated
View file

@ -1860,6 +1860,7 @@ dependencies = [
"sled", "sled",
"storage-path-generator", "storage-path-generator",
"streem", "streem",
"subtle",
"thiserror", "thiserror",
"time", "time",
"tokio", "tokio",

View file

@ -53,6 +53,7 @@ sha2 = "0.10.0"
sled = { version = "0.34.7" } sled = { version = "0.34.7" }
storage-path-generator = "0.1.0" storage-path-generator = "0.1.0"
streem = "0.2.0" streem = "0.2.0"
subtle = { version = "2.5.0", default-features = false }
thiserror = "1.0" thiserror = "1.0"
time = { version = "0.3.0", features = ["serde", "serde-well-known"] } time = { version = "0.3.0", features = ["serde", "serde-well-known"] }
tokio = { version = "1", features = ["full", "tracing"] } tokio = { version = "1", features = ["full", "tracing"] }

View file

@ -712,7 +712,8 @@ async fn delete(
let token = DeleteToken::from_existing(&token); let token = DeleteToken::from_existing(&token);
let alias = Alias::from_existing(&alias); let alias = Alias::from_existing(&alias);
queue::cleanup_alias(&repo, alias, token).await?; // delete alias inline
queue::cleanup::alias(&repo, alias, token).await?;
Ok(HttpResponse::NoContent().finish()) Ok(HttpResponse::NoContent().finish())
} }

View file

@ -16,7 +16,7 @@ use std::{
}; };
use tracing::Instrument; use tracing::Instrument;
mod cleanup; pub(crate) mod cleanup;
mod process; mod process;
const CLEANUP_QUEUE: &str = "cleanup"; const CLEANUP_QUEUE: &str = "cleanup";

View file

@ -111,10 +111,10 @@ async fn hash(repo: &ArcRepo, hash: Hash) -> Result<(), Error> {
} }
#[tracing::instrument(skip_all)] #[tracing::instrument(skip_all)]
async fn alias(repo: &ArcRepo, alias: Alias, token: DeleteToken) -> Result<(), Error> { pub(crate) async fn alias(repo: &ArcRepo, alias: Alias, token: DeleteToken) -> Result<(), Error> {
let saved_delete_token = repo.delete_token(&alias).await?; let saved_delete_token = repo.delete_token(&alias).await?;
if saved_delete_token.is_some() && saved_delete_token != Some(token) { if !saved_delete_token.is_some_and(|t| t.ct_eq(&token)) {
return Err(UploadError::InvalidToken.into()); return Err(UploadError::InvalidToken.into());
} }

View file

@ -71,6 +71,10 @@ impl DeleteToken {
None None
} }
} }
pub(crate) fn ct_eq(&self, rhs: &Self) -> bool {
subtle::ConstantTimeEq::ct_eq(self.id.as_bytes(), rhs.id.as_bytes()).unwrap_u8() == 1
}
} }
impl std::str::FromStr for DeleteToken { impl std::str::FromStr for DeleteToken {