Thanks to visit codestin.com
Credit goes to github.com

Skip to content

JsonLoginAuthenticator::getCredentials() should not allow blank username or password #46100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rimas-kudelis opened this issue Apr 19, 2022 · 2 comments
Closed

JsonLoginAuthenticator::getCredentials() should not allow blank username or password #46100

rimas-kudelis opened this issue Apr 19, 2022 · 2 comments
Labels
Bug Security Status: Needs Review

Comments

@rimas-kudelis
Copy link

Symfony version(s) affected

All currently supported versions

Description

When JsonLoginAuthenticator does its job, among other things, it checks that the username passed in the request is a string and that it is not longer than 4096 characters:

symfony/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

Lines 147 to 159 in f99f54a

try {
$credentials['username'] = $this->propertyAccessor->getValue($data, $this->options['username_path']);
if (!\is_string($credentials['username'])) {
throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['username_path']));
}
if (\strlen($credentials['username']) > Security::MAX_USERNAME_LENGTH) {
throw new BadCredentialsException('Invalid username.');
}
} catch (AccessException $e) {
throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['username_path']), $e);
}

Further down below it makes sure that the supplied password is also a string:

symfony/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

Lines 161 to 171 in f99f54a

try {
$credentials['password'] = $this->propertyAccessor->getValue($data, $this->options['password_path']);
if (!\is_string($credentials['password'])) {
throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['password_path']));
}
} catch (AccessException $e) {
throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['password_path']), $e);
}
return $credentials;

I propose to additionally check that both username and password consist of at least one character each, so that attempts to login with an empty username or password are refused without making attempts to load the user.

How to reproduce

Enable debugging, add a breakpoint in

symfony/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

Line 82 in f99f54a

$credentials = $this->getCredentials($request);
and attempt to trigger a JSON login with blank username and password. You will see that no BadRequestHttpException will be caught here and that the logic will proceed creating a Passport object with two useless badges, one for blank username and another for blank password:

symfony/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

Lines 79 to 98 in f99f54a

public function authenticate(Request $request): Passport
{
try {
$credentials = $this->getCredentials($request);
} catch (BadRequestHttpException $e) {
$request->setRequestFormat('json');
throw $e;
}
$passport = new Passport(
new UserBadge($credentials['username'], $this->userProvider->loadUserByIdentifier(...)),
new PasswordCredentials($credentials['password'])
);
if ($this->userProvider instanceof PasswordUpgraderInterface) {
$passport->addBadge(new PasswordUpgradeBadge($credentials['password'], $this->userProvider));
}
return $passport;
}

Possible Solution

No response

Additional Context

No response
@bikalbasnet
Copy link

@rimas-kudelis Do you want to open the PR otherwise I can create one right away.

@rimas-kudelis
Copy link
Author

@bikalbasnet please do, if you don't mind.

This was referenced Apr 19, 2022
Closed
Closed
Merged
@fabpot fabpot closed this as completed Jul 20, 2022
fabpot added a commit that referenced this issue Jul 20, 2022
@fabpot
feature #46118 [Security] Don't allow empty username or empty passwor…
5d9b6d2 
…d (bikalbasnet)

This PR was squashed before being merged into the 6.2 branch.

Discussion
----------

[Security] Don't allow empty username or empty password

| Q             | A
| ------------- | ---
| Branch?       | 6.2
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | yes
| Tickets       |  #46100
| License       | MIT
| Doc PR        | -
<!--
Replace this notice by a short README for your feature/bugfix.
This will help reviewers and should be a good start for the documentation.

Additionally (see https://symfony.com/releases):
 - Always add tests and ensure they pass.
 - Bug fixes must be submitted against the lowest maintained branch where they apply
   (lowest branches are regularly merged to upper ones so they get the fixes too.)
 - Features and deprecations must be submitted against the latest branch.
 - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
 - Never break backward compatibility (see https://symfony.com/bc).
-->

Reopened from #46109 into `6.1` branch as this is not a bug rather a security feature

Commits
-------

db5afbd [Security] Don't allow empty username or empty password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @xabbuh @rimas-kudelis @bikalbasnet @carsonbot