Skip to content

Commit

Permalink
Merge pull request #233 from CybercentreCanada/hotfix/session_fix
Browse files Browse the repository at this point in the history 
Hotfix/session fix
  • Loading branch information
@cccs-sgaron
cccs-sgaron authored Jul 19, 2021
2 parents 6cd8260 + 5914039 commit ce14a66
Showing 1 changed file with 25 additions and 5 deletions.
30 changes: 25 additions & 5 deletions assemblyline_ui/security/authenticator.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,17 +74,37 @@ def get_logged_in_user(self):
if not session_id:
if 'session' in request.cookies:
session = request.cookies.get('session')

# Try to load the session by hand to check why is rejected
try:
current_app.session_interface.get_signing_serializer(current_app).loads(session)
session_err = None
except Exception as e:
session_err = f"{type(e).__name__}: {str(e)}"

try:
parts = session.split('.')
data = parts[0] or parts[1]
_, data, expiry, _ = session.split('.')
# Get session details
missing_padding = len(data) % 4
if missing_padding:
data += '=' * (4 - missing_padding)

decoded = zlib.decompress(base64.urlsafe_b64decode(data)).decode('utf-8')
current_app.logger.warning(f'The session found in the cookies was rejected by flask: {decoded}')
except Exception:
current_app.logger.warning(f'The session found in the cookies was rejected by flask: {session}')

# Get session expiry
missing_padding = len(expiry) % 4
if missing_padding:
expiry += '=' * (4 - missing_padding)
expiry_time = int.from_bytes(base64.urlsafe_b64decode(expiry), 'big')

if session_err:
current_app.logger.warning(
f'The session was rejected: {decoded} ({expiry_time}) - Reason: {session_err}')
else:
current_app.logger.warning(f'The session was rejected: {decoded} ({expiry_time})')
except Exception as e:
current_app.logger.warning(
f'The session was rejected and could not be parsed: {session} - Reason: {str(e)}')

abort(401, "Session rejected")
else:
Expand Down

0 comments on commit ce14a66

Please sign in to comment.