fix: salt parameter splicing

Author: ovx

altcha/altcha.py

@@ -444,6 +444,10 @@ def create_challenge(
     if salt_params:
         salt += "?" + urllib.parse.urlencode(salt_params)
 
+    # Add a delimiter to prevent parameter splicing
+    if not salt.endswith("&"):
+        salt += "&"
+
     challenge = hash_hex(algorithm, (salt + str(number)).encode())
     signature = hmac_hex(algorithm, challenge.encode(), options.hmac_key)
 

tests/test_altcha.py

@@ -228,6 +228,30 @@ def test_verify_solution_malformed_expiry(self):
         result, _ = verify_solution(payload_encoded, self.hmac_key, check_expires=True)
         self.assertFalse(result)
 
+    def test_verify_solution_salt_splicing(self):
+        options = ChallengeOptions(
+            algorithm="SHA-256",
+            max_number=1000,
+            salt_length=16,
+            hmac_key=self.hmac_key,
+            expires=datetime.datetime.now().astimezone()
+            + datetime.timedelta(minutes=1),
+            number=123,
+        )
+        challenge = create_challenge(options)
+        payload = Payload(
+            algorithm="SHA-256",
+            challenge=challenge.challenge,
+            number=23,
+            salt=challenge.salt + "1",
+            signature=challenge.signature,
+        )
+        payload_encoded = base64.b64encode(
+            json.dumps(payload.__dict__).encode()
+        ).decode()
+        result, _ = verify_solution(payload_encoded, self.hmac_key, check_expires=False)
+        self.assertFalse(result)
+
     def test_valid_signature(self):
         expire_time = int(time.time()) + 600  # 10 minutes from now
         verification_data = (