Summary

Add checksum checking when validating VendorChecksum API tokens.

Review Request #12663 — Created Oct. 3, 2022 and submitted Oct. 31, 2022, 2:30 p.m.

Information

Owner

maubin

Repository

Djblets

Branch

release-3.x

Bugs

Depends On

Blocks

12651

Reviewers

Groups

djblets

People

Description

This change makes the VendorChecksumTokenGenerator check the token's checksum
when validating tokens. This makes the token validation more precise and is
useful for weeding out any false positives during secret scanning.

This also fixes the character set that we're using for base62-encoding the
token checksums. The previous one had incorrectly swapped the placement of the
capital and lowercase characters in the set. Tokens that were generated using
the old character set are still considered valid.

Testing Done

Ran unit tests.

Commits

Summary	ID
Add checksum checking when validating VendorChecksum API tokens.	666361c32af88feb525657abd59c032cb7b6f4eb

Issues

Description	From	Last Updated
We might just want to compare against checksum.swapcase() in the conditional directly, so that we don't perform this operation unless …	chipx86	Oct. 28, 2022, 1:29 p.m.

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Change Summary:

Fixes the base62-encoding character set and still validates tokens that use our previous faulty base62-encoding.

Description:

		This change makes the `VendorChecksumTokenGenerator` check the token's checksum
		when validating tokens. This makes the token validation more precise and is
		useful for weeding out any false positives during secret scanning.
	+
	+	This also fixes the character set that we're using for base62-encoding the
	+	token checksums. The previous one had incorrectly swapped the placement of the
	+	capital and lowercase characters in the set. Tokens that were generated using
	+	the old character set are still considered valid.

Commits:

	Summary	ID
	Add checksum checking when validating VendorChecksum API tokens.	d5aba73281ff2d7d415705e95efcc0358accdf84
	Add checksum checking when validating VendorChecksum API tokens.	85745ccbe8575b91006d740676c3092c4282c365

Diff:

Revision 2 (+142 -44)

Show changes

	djblets/secrets/tests/test_vendor_checksum_token_generator.py
	djblets/secrets/token_generators/vendor_checksum.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

djblets/secrets/token_generators/vendor_checksum.py (Diff revisions 1 - 2)

The issue has been resolved. Show all issues

We might just want to compare against checksum.swapcase() in the conditional directly, so that we don't perform this operation unless it appears to be a valid token but the checksum fails. That'll be the rare case.

Change Summary:

Compares against checksum.swapcase() directly in the conditional so that the swapcase operation only happens if it needs to.

Commits:

	Summary	ID
	Add checksum checking when validating VendorChecksum API tokens.	85745ccbe8575b91006d740676c3092c4282c365
	Add checksum checking when validating VendorChecksum API tokens.	666361c32af88feb525657abd59c032cb7b6f4eb

Diff:

Revision 3 (+140 -46)

Show changes

	djblets/secrets/tests/test_vendor_checksum_token_generator.py
	djblets/secrets/token_generators/vendor_checksum.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status:: Completed
Change Summary:: Pushed to release-3.x (6b692e6)