PasswordPolicyModule.cs should check for the PBKDF2 format in K10

Kentico / KInspector

KInspector is an application for analyzing health, performance and security of your Kentico solution.

MIT License

56 stars 63 forks source link

PasswordPolicyModule.cs should check for the PBKDF2 format in K10 #161

Closed bayotop closed 6 years ago

bayotop commented 6 years ago

Kentico 10 introduced a new password hashing algorithm PBKDF2. SHA2SALT is no longer recommended.

See: https://docs.kentico.com/k10/securing-websites/designing-secure-websites/securing-user-accounts-and-passwords/setting-the-user-password-format

ChristopherJennings commented 6 years ago

You're absolutely right @bayotop.

I'm going to mark this as a first-timers-only and provide the steps to resolve below. If you'd like to take it feel free, otherwise, anyone else can take it.

Add a new variable to store the preferred password format
Set that value based on the instanceInfo version (if it's v10 set to PBKDF2, otherwise set it to SHA2SALT)
Use this variable on line 40 instead of the hardcoded value that's there now.

LegionsMan commented 6 years ago

Hey, guys. I would like to take this one. I'm new to github, so i'm still trying to figure out how to clone and start the project

ChristopherJennings commented 6 years ago

That's excellent. Let us know if you need anything or have any questions.

LegionsMan commented 6 years ago

Chris, are those the bug steps above? Also, how would i test my changes?

ChristopherJennings commented 6 years ago

The steps above should be everything needed to perform the check correctly. The error message should be updated as well.

Testing can be done by running the module against instances of Kentico 9 and 10 with different password format settings. The module should report OK for SHA2 with Salt in V9 (and earlier) and OK for PBKDF2 in V10. Otherwise it should recommend SHA2 for v9 (and earlier) and PBKDF2 for v10.

LegionsMan commented 6 years ago

Okay, because i'm new to coding, i'm going to ask questions - lol! so, i only working with the PasswordPolicyModule.cs in the Kentico.KInspector.Modules and running it against Kentico.KInspector.Tests?

ChristopherJennings commented 6 years ago

Sorry for the delay in response! We had a very busy holiday season and this fell through the cracks.

The only file you should need to touch for the actual fix is PasswordPolicyModule.cs inside the Kentico.KInspector.Modules project.

As for the tests, you can modify the appropriate tests to set the instance version to V9 by adding: mockInstanceInfo.Setup(_ => _.Version).Returns(new Version("9.0")); when setting up each test. If you are feeling adventuresome, you can add tests for V10 and for the other versions as well.

We need to dramatically overhaul the unit test of KInspector, so don't worry about that too much right now.