net-imap 0.4.19 → 0.4.24

data/lib/net/imap/response_reader.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Net
+  class IMAP
+    # See https://www.rfc-editor.org/rfc/rfc9051#section-2.2.2
+    class ResponseReader # :nodoc:
+      attr_reader :client
+
+      def initialize(client, sock)
+        @client, @sock = client, sock
+        @buff = @literal_size = nil
+      end
+
+      def read_response_buffer
+        @buff = String.new
+        catch :eof do
+          while true
+            read_line
+            break unless literal_size
+            read_literal
+          end
+        end
+        buff
+      ensure
+        @buff = @literal_size = nil
+      end
+
+      private
+
+      attr_reader :buff, :literal_size
+
+      def bytes_read;       buff.bytesize                         end
+      def empty?;           buff.empty?                           end
+      def done?;            line_done? && !get_literal_size       end
+      def done?;            line_done? && !literal_size           end
+      def line_done?;       buff.end_with?(CRLF)                  end
+
+      def get_literal_size(buff)
+        buff.end_with?("}\r\n") && buff.rindex(/\{(\d+)\}\r\n\z/n) && $1.to_i
+      end
+
+      def read_line
+        line = (@sock.gets(CRLF, read_limit) or throw :eof)
+        buff << line
+        max_response_remaining! unless line_done?
+        @literal_size = get_literal_size(line)
+      end
+
+      def read_literal
+        # check before allocating memory for literal
+        max_response_remaining!
+        literal = String.new(capacity: literal_size)
+        buff << (@sock.read(read_limit(literal_size), literal) or throw :eof)
+      ensure
+        @literal_size = nil
+      end
+
+      def read_limit(limit = nil)
+        [limit, max_response_remaining!].compact.min
+      end
+
+      def max_response_size;      client.max_response_size                end
+      def max_response_remaining; max_response_size &.- bytes_read        end
+      def response_too_large?;    max_response_size &.< min_response_size end
+      def min_response_size;      bytes_read + min_response_remaining     end
+
+      def min_response_remaining
+        empty? ? 3 : done? ? 0 : (literal_size || 0) + 2
+      end
+
+      def max_response_remaining!
+        return max_response_remaining unless response_too_large?
+        raise ResponseTooLargeError.new(
+          max_response_size: max_response_size,
+          bytes_read:        bytes_read,
+          literal_size:      literal_size,
+        )
+      end
+
+    end
+  end
+end

data/lib/net/imap/sasl/scram_authenticator.rb

@@ -75,13 +75,19 @@ module Net
         # * #password ― Password or passphrase associated with this #username.
         # * _optional_ #authzid ― Alternate identity to act as or on behalf of.
         # * _optional_ #min_iterations - Overrides the default value (4096).
+        # * _optional_ #max_iterations - Overrides the default value (2³¹ - 1).
         #
         # Any other keyword parameters are quietly ignored.
+        #
+        # *NOTE:* <em>It is the user's responsibility</em> to enforce minimum
+        # and maximum iteration counts that are appropriate for their security
+        # context.
         def initialize(username_arg = nil, password_arg = nil,
                        authcid: nil, username: nil,
                        authzid: nil,
                        password: nil, secret: nil,
                        min_iterations: 4096, # see both RFC5802 and RFC7677
+                       max_iterations: 2**31 - 1,  # max int32
                        cnonce: nil, # must only be set in tests
                        **options)
           @username = username || username_arg || authcid or
@@ -94,7 +100,22 @@ module Net
           @min_iterations.positive? or
             raise ArgumentError, "min_iterations must be positive"
 
+          @max_iterations = Integer max_iterations.to_int
+          @min_iterations <= @max_iterations or
+            raise ArgumentError, "max_iterations must be more than min_iterations"
+
           @cnonce = cnonce || SecureRandom.base64(32)
+
+          # These attrs are set from the server challenges
+          @server_first_message = @snonce = @salt = @iterations = nil
+          @server_error = nil
+
+          # Memoized after @salt and @iterations have been sent.
+          @salted_password = @client_key = @server_key = nil
+
+          # These values are created and cached in response to server challenges
+          @client_first_message_bare = nil
+          @client_final_message_without_proof = nil
         end
 
         # Authentication identity: the identity that matches the #password.
@@ -127,8 +148,43 @@ module Net
 
         # The minimal allowed iteration count.  Lower #iterations will raise an
         # Error.
+        #
+        # *WARNING:* The default value (4096) is set to match guidance from
+        # both {RFC5802}[https://www.rfc-editor.org/rfc/rfc5802#page-12]
+        # and RFC7677[https://www.rfc-editor.org/rfc/rfc7677#section-4], but
+        # {modern recommendations}[https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2]
+        # are significantly higher.
+        #
+        # It is ultimately the server's responsibility to securely store
+        # password hashes.  While this parameter can alert the user to
+        # insecure password storage and prevent insecure authentication
+        # exchange, updating the iteration count generally requires resetting
+        # the password on the server.
         attr_reader :min_iterations
 
+        # The maximal allowed iteration count.  Higher #iterations will raise an
+        # Error.
+        #
+        # As noted in {RFC5802}[https://www.rfc-editor.org/rfc/rfc5802#section-9]
+        # >>>
+        #   A hostile server can perform a computational denial-of-service
+        #   attack on clients by sending a big iteration count value.
+        #
+        # *WARNING:* The default value is <tt>2³¹ - 1</tt>, the maximum signed
+        # 32-bit integer.  This is large enough for the computation to take
+        # several minutes, and insufficient protection against hostile servers.
+        #
+        # Note that <tt>OpenSSL::KDF.pbkdf2_hmac</tt> is implemented by a
+        # blocking C function, and cannot be interrupted by +Timeout+ or
+        # <tt>Thread.raise</tt>.  And it keeps the Global VM lock, as of v4.0 of
+        # the +openssl+ gem, so other ruby threads will not be able to run.
+        #
+        # <em>To prevent a denial of service attack,</em> this must be set to a
+        # safe value, depending on hardware and version of OpenSSL.  <em>It is
+        # the user's responsibility</em> to enforce minimum and maximum
+        # iteration counts that are appropriate for their security context.
+        attr_reader :max_iterations
+
         # The client nonce, generated by SecureRandom
         attr_reader :cnonce
 
@@ -147,6 +203,15 @@ module Net
         # Net::IMAP::NoResponseError.
         attr_reader :server_error
 
+        # Memoized ScramAlgorithm#salted_password (needs #salt and #iterations)
+        def salted_password; @salted_password ||= compute_salted { super } end
+
+        # Memoized ScramAlgorithm#client_key (needs #salt and #iterations)
+        def client_key; @client_key ||= compute_salted { super } end
+
+        # Memoized ScramAlgorithm#server_key (needs #salt and #iterations)
+        def server_key; @server_key ||= compute_salted { super } end
+
         # Returns a new OpenSSL::Digest object, set to the appropriate hash
         # function for the chosen mechanism.
         #
@@ -186,6 +251,13 @@ module Net
 
         private
 
+        # Checks for +salt+ and +iterations+ before yielding
+        def compute_salted
+          String === salt        or raise Error, "unknown salt"
+          Integer === iterations or raise Error, "unknown iterations"
+          yield
+        end
+
         # Need to store this for auth_message
         attr_reader :server_first_message
 
@@ -202,6 +274,8 @@ module Net
             raise Error, "server did not send iteration count"
           min_iterations <= iterations or
             raise Error, "too few iterations: %d" % [iterations]
+          max_iterations.nil? || iterations <= max_iterations or
+            raise Error, "too many iterations: %d" % [iterations]
           mext = sparams["m"] and
             raise Error, "mandatory extension: %p" % [mext]
           snonce.start_with? cnonce or

data/lib/net/imap/sequence_set.rb

@@ -178,7 +178,7 @@ module Net
     #
     # <i>Set membership:</i>
     # - #include? (aliased as #member?):
-    #   Returns whether a given object (nz-number, range, or <tt>*</tt>) is
+    #   Returns whether a given element (nz-number, range, or <tt>*</tt>) is
     #   contained by the set.
     # - #include_star?: Returns whether the set contains <tt>*</tt>.
     #
@@ -243,13 +243,13 @@ module Net
     # These methods do not modify +self+.
     #
     # - #| (aliased as #union and #+): Returns a new set combining all members
-    #   from +self+ with all members from the other object.
+    #   from +self+ with all members from the other set.
     # - #& (aliased as #intersection): Returns a new set containing all members
-    #   common to +self+ and the other object.
+    #   common to +self+ and the other set.
     # - #- (aliased as #difference): Returns a copy of +self+ with all members
-    #   in the other object removed.
+    #   in the other set removed.
     # - #^ (aliased as #xor): Returns a new set containing all members from
-    #   +self+ and the other object except those common to both.
+    #   +self+ and the other set except those common to both.
     # - #~ (aliased as #complement): Returns a new set containing all members
     #   that are not in +self+
     # - #limit: Returns a copy of +self+ which has replaced <tt>*</tt> with a
@@ -262,17 +262,17 @@ module Net
     #
     # These methods always update #string to be fully sorted and coalesced.
     #
-    # - #add (aliased as #<<): Adds a given object to the set; returns +self+.
-    # - #add?: If the given object is not an element in the set, adds it and
+    # - #add (aliased as #<<): Adds a given element to the set; returns +self+.
+    # - #add?: If the given element is not fully included the set, adds it and
     #   returns +self+; otherwise, returns +nil+.
-    # - #merge: Merges multiple elements into the set; returns +self+.
+    # - #merge: Adds all members of the given sets into this set; returns +self+.
     # - #complement!: Replaces the contents of the set with its own #complement.
     #
     # <i>Order preserving:</i>
     #
     # These methods _may_ cause #string to not be sorted or coalesced.
     #
-    # - #append: Adds a given object to the set, appending it to the existing
+    # - #append: Adds the given entry to the set, appending it to the existing
     #   string, and returns +self+.
     # - #string=: Assigns a new #string value and replaces #elements to match.
     # - #replace: Replaces the contents of the set with the contents
@@ -283,13 +283,14 @@ module Net
     # sorted and coalesced.
     #
     # - #clear: Removes all elements in the set; returns +self+.
-    # - #delete: Removes a given object from the set; returns +self+.
-    # - #delete?: If the given object is an element in the set, removes it and
+    # - #delete: Removes a given element from the set; returns +self+.
+    # - #delete?: If the given element is included in the set, removes it and
     #   returns it; otherwise, returns +nil+.
     # - #delete_at: Removes the number at a given offset.
     # - #slice!: Removes the number or consecutive numbers at a given offset or
     #   range of offsets.
-    # - #subtract: Removes each given object from the set; returns +self+.
+    # - #subtract: Removes all members of the given sets from this set; returns
+    #   +self+.
     # - #limit!: Replaces <tt>*</tt> with a given maximum value and removes all
     #   members over that maximum; returns +self+.
     #
@@ -326,9 +327,12 @@ module Net
       class << self
 
         # :call-seq:
-        #   SequenceSet[*values] -> valid frozen sequence set
+        #   SequenceSet[*inputs] -> valid frozen sequence set
         #
-        # Returns a frozen SequenceSet, constructed from +values+.
+        # Returns a frozen SequenceSet, constructed from +inputs+.
+        #
+        # When only a single valid frozen SequenceSet is given, that same set is
+        # returned.
         #
         # An empty SequenceSet is invalid and will raise a DataFormatError.
         #
@@ -672,7 +676,7 @@ module Net
       #
       # <tt>(seqset ^ other)</tt> is equivalent to <tt>((seqset | other) -
       # (seqset & other))</tt>.
-      def ^(other) remain_frozen (self | other).subtract(self & other) end
+      def ^(other) remain_frozen (dup | other).subtract(self & other) end
       alias xor :^
 
       # :call-seq:
@@ -694,7 +698,7 @@ module Net
       alias complement :~
 
       # :call-seq:
-      #   add(object)   -> self
+      #   add(element)   -> self
       #   self << other -> self
       #
       # Adds a range or number to the set and returns +self+.
@@ -702,8 +706,8 @@ module Net
       # #string will be regenerated.  Use #merge to add many elements at once.
       #
       # Related: #add?, #merge, #union
-      def add(object)
-        tuple_add input_to_tuple object
+      def add(element)
+        tuple_add input_to_tuple element
         normalize!
       end
       alias << add
@@ -712,9 +716,9 @@ module Net
       #
       # Unlike #add, #merge, or #union, the new value is appended to #string.
       # This may result in a #string which has duplicates or is out-of-order.
-      def append(object)
+      def append(entry)
         modifying!
-        tuple = input_to_tuple object
+        tuple = input_to_tuple entry
         entry = tuple_to_str tuple
         string unless empty? # write @string before tuple_add
         tuple_add tuple
@@ -722,19 +726,19 @@ module Net
         self
       end
 
-      # :call-seq: add?(object) -> self or nil
+      # :call-seq: add?(element) -> self or nil
       #
       # Adds a range or number to the set and returns +self+.  Returns +nil+
-      # when the object is already included in the set.
+      # when the element is already included in the set.
       #
       # #string will be regenerated.  Use #merge to add many elements at once.
       #
       # Related: #add, #merge, #union, #include?
-      def add?(object)
-        add object unless include? object
+      def add?(element)
+        add element unless include? element
       end
 
-      # :call-seq: delete(object) -> self
+      # :call-seq: delete(element) -> self
       #
       # Deletes the given range or number from the set and returns +self+.
       #
@@ -742,8 +746,8 @@ module Net
       # many elements at once.
       #
       # Related: #delete?, #delete_at, #subtract, #difference
-      def delete(object)
-        tuple_subtract input_to_tuple object
+      def delete(element)
+        tuple_subtract input_to_tuple element
         normalize!
       end
 
@@ -779,8 +783,8 @@ module Net
       # #string will be regenerated after deletion.
       #
       # Related: #delete, #delete_at, #subtract, #difference, #disjoint?
-      def delete?(object)
-        tuple = input_to_tuple object
+      def delete?(element)
+        tuple = input_to_tuple element
         if tuple.first == tuple.last
           return unless include_tuple? tuple
           tuple_subtract tuple
@@ -824,33 +828,31 @@ module Net
         deleted
       end
 
-      # Merges all of the elements that appear in any of the +inputs+ into the
+      # Merges all of the elements that appear in any of the +sets+ into the
       # set, and returns +self+.
       #
-      # The +inputs+ may be any objects that would be accepted by ::new:
-      # non-zero 32 bit unsigned integers, ranges, <tt>sequence-set</tt>
-      # formatted strings, other sequence sets, or enumerables containing any of
-      # these.
+      # The +sets+ may be any objects that would be accepted by ::new: non-zero
+      # 32 bit unsigned integers, ranges, <tt>sequence-set</tt> formatted
+      # strings, other sequence sets, or enumerables containing any of these.
       #
-      # #string will be regenerated after all inputs have been merged.
+      # #string will be regenerated after all sets have been merged.
       #
       # Related: #add, #add?, #union
-      def merge(*inputs)
-        tuples_add input_to_tuples inputs
+      def merge(*sets)
+        tuples_add input_to_tuples sets
         normalize!
       end
 
-      # Removes all of the elements that appear in any of the given +objects+
-      # from the set, and returns +self+.
+      # Removes all of the elements that appear in any of the given +sets+ from
+      # the set, and returns +self+.
       #
-      # The +objects+ may be any objects that would be accepted by ::new:
-      # non-zero 32 bit unsigned integers, ranges, <tt>sequence-set</tt>
-      # formatted strings, other sequence sets, or enumerables containing any of
-      # these.
+      # The +sets+ may be any objects that would be accepted by ::new: non-zero
+      # 32 bit unsigned integers, ranges, <tt>sequence-set</tt> formatted
+      # strings, other sequence sets, or enumerables containing any of these.
       #
       # Related: #difference
-      def subtract(*objects)
-        tuples_subtract input_to_tuples objects
+      def subtract(*sets)
+        tuples_subtract input_to_tuples sets
         normalize!
       end
 
@@ -1243,14 +1245,18 @@ module Net
       def slice_range(range)
         first = range.begin ||  0
         last  = range.end   || -1
-        last -= 1 if range.exclude_end? && range.end && last != STAR_INT
+        if range.exclude_end?
+          return remain_frozen_empty if last.zero?
+          last -= 1 if range.end && last != STAR_INT
+        end
         if (first * last).positive? && last < first
-          SequenceSet.empty
+          remain_frozen_empty
         elsif (min = at(first))
           max = at(last)
+          max = :* if max.nil?
           if    max == :*  then self & (min..)
           elsif min <= max then self & (min..max)
-          else                  SequenceSet.empty
+          else                  remain_frozen_empty
           end
         end
       end
@@ -1378,6 +1384,7 @@ module Net
       private
 
       def remain_frozen(set) frozen? ? set.freeze : set end
+      def remain_frozen_empty; frozen? ? SequenceSet.empty : SequenceSet.new end
 
       # frozen clones are shallow copied
       def initialize_clone(other)
@@ -1390,29 +1397,29 @@ module Net
         super
       end
 
-      def input_to_tuple(obj)
-        obj = input_try_convert obj
-        case obj
-        when *STARS, Integer then [int = to_tuple_int(obj), int]
-        when Range           then range_to_tuple(obj)
-        when String          then str_to_tuple(obj)
+      def input_to_tuple(entry)
+        entry = input_try_convert entry
+        case entry
+        when *STARS, Integer then [int = to_tuple_int(entry), int]
+        when Range           then range_to_tuple(entry)
+        when String          then str_to_tuple(entry)
         else
-          raise DataFormatError, "expected number or range, got %p" % [obj]
+          raise DataFormatError, "expected number or range, got %p" % [entry]
         end
       end
 
-      def input_to_tuples(obj)
-        obj = input_try_convert obj
-        case obj
-        when *STARS, Integer, Range then [input_to_tuple(obj)]
-        when String      then str_to_tuples obj
-        when SequenceSet then obj.tuples
-        when ENUMABLE    then obj.flat_map { input_to_tuples _1 }
+      def input_to_tuples(set)
+        set = input_try_convert set
+        case set
+        when *STARS, Integer, Range then [input_to_tuple(set)]
+        when String      then str_to_tuples set
+        when SequenceSet then set.tuples
+        when ENUMABLE    then set.flat_map { input_to_tuples _1 }
         when nil         then []
         else
           raise DataFormatError,
                 "expected nz-number, range, string, or enumerable; " \
-                "got %p" % [obj]
+                "got %p" % [set]
         end
       end