lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-16T11:40:53Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3030Implement ANSSI recommendations for securing the implementation of the Openid...2024-03-16T11:40:53ZYaddImplement ANSSI recommendations for securing the implementation of the Openid-Connect protocolRef: [Recommendations for securing the implementation of the Openid-Connect protocol _(fr)_](https://cyber.gouv.fr/publications/recommandations-pour-la-securisation-de-la-mise-en-oeuvre-du-protocole-openid-connect)
> Most of the items a...Ref: [Recommendations for securing the implementation of the Openid-Connect protocol _(fr)_](https://cyber.gouv.fr/publications/recommandations-pour-la-securisation-de-la-mise-en-oeuvre-du-protocole-openid-connect)
> Most of the items are included into %2.18.0 except if mentioned below.
## Items related to LLNG
### [LLNG as OIDC Relying Party](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm):
* [X] Already implemented and enabled
* [X] Always send `state` _(R10)_
* [X] Randomly generate `state` and `nonce` _(R11, R15)_
* [X] Verify "state" _(R22)_
* [X] Verify `id_token` _(R26, R28)_
* [X] Check that `/userinfo` response and `id_token` have the same `sub`
* [X] [Doc about items to check](!430)
* [X] `oidcOPMetaDataOptionsUseNonce` required _(R14)_
* [X] Disable `HS*` algorithms _(to workaround "distinct client_secret" R27 recommendation + R39)_
* `/token` calls:
* [x] [implement JWS authentication](#3031) _(level+)_
* `code` requests
* [X] Implement optional [Passing Request Parameters as JWTs](#3073) during `code` request _(R8 and R8+)_ - release %2.19.0
### [LLNG as OIDC Provider](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm):
* [X] Already implemented and enabled
* [X] randomly generate `code` _(R18)_
* [X] randomly generate `access_token` _(R24)_
* [X] associate `access_token` with RP _(R20)_
* [X] disable `code` after `/token` call _(R30)_
* [X] don't write `access_token` in logs _(R32)_
* [X] limit `access_token` TTL _(R33)_
* [X] Use session cookie
* [X] [Doc about items to check](!430)
* [X] hybrid and implicit flows must be disabled _(R1)_
* [X] disable `HS*` algorithms _(to workaround "distinct client_secret" R27 recommendation + R39)_ _**[Restrict]**_
* [X] disable automatic enrollment _(R49)_
* [X] limit `access_token` validity in endpoints to a short time _(R19)_
* [X] reject open redirections _(R17)_
* `code` request
* [x] [support JWS authentication](!397) _(R8, R8+)_
* [x] [accept only one mode per RP](!397) _(R9)_ _**[Restrict]**_
* [X] accept JWT _(R8 and R8+)_
* [X] [require it](!427) _**[Out]**_ - release %2.19.0
* [X] [require `state` and `nonce`](!428) _(R12, R16)_ _**[Restrict]**_ - release %"2.19.0"
* `/token` calls:
* [x] [implement JWS authentication](#3031) _(level+)_
* [X] [require it](!397) _**[Out]**_
* `/userinfo` calls:
* [X] [authentication using access_token only inside `Authorization: Bearer` header](!429) _(R31)_ _**[Restrict]**_ - release %2.19.0
* [ ] ToDo:
* Auto-discover
* [ ] Disable `/.well-known/openid-configuration` _(R48, given by hand, but then give a way to download the document using the manager)_ _**[Out]**_
* `code` requests
* [ ] [store `code` and `access_token` using hash](!462) _(R21, R25)_ - release %"2.19.0"
----
Notes:
* _**[Restrict]**: Restrict the OpenID-Connect spec, may break some clients_
* _**[Out]**: out of OpenID-Connect Spec, will break a lot of clients_2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2466GD::SecurityImage seems unmaintained2021-02-18T08:17:25ZYaddGD::SecurityImage seems unmaintained### Concerned version
Version: %2.0.x
Platform: any
### Summary
Looking at [GD::SecurityImage upstream repo](https://github.com/burak/CPAN-GD-SecurityImage) _(and the [lack of responses](https://github.com/burak/CPAN-GD-SecurityImage...### Concerned version
Version: %2.0.x
Platform: any
### Summary
Looking at [GD::SecurityImage upstream repo](https://github.com/burak/CPAN-GD-SecurityImage) _(and the [lack of responses](https://github.com/burak/CPAN-GD-SecurityImage/issues) to our bugs)_, this library looks unmaintained. I think we should replace it either by a better maintained library, either building our own _(using a fork of GD::Security ?)_.
For now, there are no known security issue, that's why I assigned this issue to %"3.0.0"3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2452Ubble registration plugin2021-01-28T14:20:23ZYaddUbble registration plugin### Summary
[ubble](https://www.ubble.ai/) helps businesses fight against fraud with its frictionless online identity verification service that uses exclusive video live streaming and A.I. technology.
### Design proposition
Registrati...### Summary
[ubble](https://www.ubble.ai/) helps businesses fight against fraud with its frictionless online identity verification service that uses exclusive video live streaming and A.I. technology.
### Design proposition
Registration plugin to enforce enrollment3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1823[Security:improvement] Improved use of cryptography2023-11-13T14:43:20ZRaphael Geissert[Security:improvement] Improved use of cryptographyPoking different parts of the code base it would appear that the use of cryptography by LLNG needs to be reviewed, updated, and simplified. Some examples:
* `Lemonldap::NG::Common::Crypto` has code to use md5 to what looks like a key-der...Poking different parts of the code base it would appear that the use of cryptography by LLNG needs to be reviewed, updated, and simplified. Some examples:
* `Lemonldap::NG::Common::Crypto` has code to use md5 to what looks like a key-derivation function. PBKDF2 and similar HMAC-based algorithms exist to do that.
* data seems to be encrypted, again with the Crypto module, but not signed. Authenticated encryption should be critical if the encrypted data is ever sent to or received from an untrusted party.
* Use of non-crypto-safe rngs like in #1803 and #1633
* Lastly, but worrisome, by using a low-level primitive like AES directly it appears that some basics were forgotten: the same key appears to be used to sign multiple messages without ever setting an initialization vector! meaning that the IV in use is always a zero.
Libraries such as NaCl and libsodium were created to reduce the complexity of using cryptographic functions the right way. Perhaps using one of the perl binding to libsodium could be a way to address these problems.
E.g. for #1803 there's `randombytes_uniform`. For encryption? `crypto_secretbox_*`, data authentication? `crypto_auth`.
Marking this issue as confidential given that the IV reuse could be pretty serious. I have not tried to asses the impact in the case of LLNG.
C.f. https://cwe.mitre.org/data/definitions/329.html3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1808Room for improvement in Apache::Session::Generate::SHA2562021-10-16T06:04:16ZRaphael GeissertRoom for improvement in Apache::Session::Generate::SHA256The `Lemonldap::NG::Common::Apache::Session::Generate::SHA256` module could use an update, it:
* imports some methods like sha256 but doesn't use them,
* reads 64 bytes of urandom, but only because that's the length of the output of sha2...The `Lemonldap::NG::Common::Apache::Session::Generate::SHA256` module could use an update, it:
* imports some methods like sha256 but doesn't use them,
* reads 64 bytes of urandom, but only because that's the length of the output of sha256_hex,
* does a second round of hashing for no documented reason,
* hashes the output of: `time`, `{}`, and `$$`, but at best they do no harm and at worst they could leak information
Moreover, it doesn't handle the fact that `Crypt::URandom` could croak. Not sure if that's handled nicely by other parts of LLNG?3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1570Manager : replace Angular-1* by React/Redux2021-05-16T14:57:31ZYaddManager : replace Angular-1* by React/Redux### Summary
Angular-1.8* is the last version and LTS until ~2022. Since we maintain at least 2 versions, we might replace it before 2020 to be sure to have a well maintained JS framework.
React used with Redux sounds good to replace An...### Summary
Angular-1.8* is the last version and LTS until ~2022. Since we maintain at least 2 versions, we might replace it before 2020 to be sure to have a well maintained JS framework.
React used with Redux sounds good to replace Angular-1.3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1495Verify if bootstrap vulnerability can be exploited in LLNG2019-01-04T14:58:48ZYaddVerify if bootstrap vulnerability can be exploited in LLNG### Concerned version
Version: %"1.9.18", %"2.0.0"
### Summary
The following vulnerabilities were published for twitter-bootstrap3. If LLNG is vulnerable, update bootstrap at least to 4.1.2
[CVE-2018-14040](https://cve.mitre.org/cgi...### Concerned version
Version: %"1.9.18", %"2.0.0"
### Summary
The following vulnerabilities were published for twitter-bootstrap3. If LLNG is vulnerable, update bootstrap at least to 4.1.2
[CVE-2018-14040](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14040): In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
[CVE-2018-14041](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14041): In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
[CVE-2018-14042](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042): In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.FAQ