fix: address high-severity security issues from review

- Use subtle.ConstantTimeCompare for static credential checks to prevent timing side-channel attacks - Cap failCounts (100k) and rememberedCreds (10k) maps with eviction to prevent memory exhaustion from botnet-scale scanning - Sweep expired credentials on each auth attempt - Add configurable max_connections (default 500) with semaphore to limit concurrent connections and prevent goroutine/fd exhaustion Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 16:41:23 +01:00
parent 51fdea0c2f
commit a40110f2f5
6 changed files with 90 additions and 7 deletions
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -1,12 +1,18 @@
 package auth

 import (
+	"crypto/subtle"
 	"sync"
 	"time"

 	"git.t-juice.club/torjus/oubliette/internal/config"
 )

+const (
+	maxFailCountEntries      = 100000
+	maxRememberedCredentials = 10000
+)
+
 type credKey struct {
 	Username string
 	Password string
@@ -38,9 +44,11 @@ func (a *Authenticator) Authenticate(ip, username, password string) Decision {
 	a.mu.Lock()
 	defer a.mu.Unlock()

-	// 1. Check static credentials.
+	// 1. Check static credentials (constant-time comparison).
 	for _, cred := range a.cfg.StaticCredentials {
-		if cred.Username == username && cred.Password == password {
+		uMatch := subtle.ConstantTimeCompare([]byte(cred.Username), []byte(username))
+		pMatch := subtle.ConstantTimeCompare([]byte(cred.Password), []byte(password))
+		if uMatch == 1 && pMatch == 1 {
 			a.failCounts[ip] = 0
 			return Decision{Accepted: true, Reason: "static_credential"}
 		}
@@ -57,6 +65,7 @@ func (a *Authenticator) Authenticate(ip, username, password string) Decision {
 	}

 	// 3. Increment fail count, check threshold.
+	a.evictIfNeeded()
 	a.failCounts[ip]++
 	if a.failCounts[ip] >= a.cfg.AcceptAfter {
 		a.failCounts[ip] = 0
@@ -66,3 +75,32 @@ func (a *Authenticator) Authenticate(ip, username, password string) Decision {

 	return Decision{Accepted: false, Reason: "rejected"}
 }
+
+// evictIfNeeded removes stale entries when maps exceed their size limits.
+// Must be called with a.mu held.
+func (a *Authenticator) evictIfNeeded() {
+	now := a.now()
+
+	// Sweep expired remembered credentials.
+	for k, expiry := range a.rememberedCreds {
+		if now.After(expiry) {
+			delete(a.rememberedCreds, k)
+		}
+	}
+
+	// If remembered creds still over limit, drop oldest entries.
+	for len(a.rememberedCreds) > maxRememberedCredentials {
+		for k := range a.rememberedCreds {
+			delete(a.rememberedCreds, k)
+			break
+		}
+	}
+
+	// If fail counts over limit, drop arbitrary entries.
+	for len(a.failCounts) > maxFailCountEntries {
+		for k := range a.failCounts {
+			delete(a.failCounts, k)
+			break
+		}
+	}
+}