Arbitrary security restriction in UserBadge #49830
Comments
|
I'm fine making it overridable by changing |
Now with SF6.2 and the final class AccessTokenHandler implements AccessTokenHandlerInterface
{
private $client;
public function __construct(
ClientRegistry $clientRegistry,
private readonly EntityManagerInterface $entityManager,
)
{
$this->client = $clientRegistry->getClient('facebook_main');
}
public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge
{
/** @var FacebookUser $facebookUser */
$facebookUser = $this->client->fetchUserFromToken($accessToken);
$email = $facebookUser->getEmail();
// 1) have they logged in with Facebook before? Easy!
$existingUser = $this->entityManager->getRepository(User::class)->findOneBy(['facebookId' => $facebookUser->getId()]);
if ($existingUser) {
return new UserBadge($existingUser->getIdentifier(), fn() => $existingUser);
}
// 2) do we have a matching user by email?
$user = $this->entityManager->getRepository(User::class)->findOneBy(['email' => $email]);
// 3) Maybe you just want to "register" them by creating
// a User object
$user->setFacebookId($facebookUser->getId());
$this->entityManager->persist($user);
$this->entityManager->flush();
return new UserBadge($user->getIdentifier(), fn() => $user);
}
} |
|
Although the limit is indeed a bit arbitrary, I don't feel very comfortable about allowing users to override the length limit. In the new security system, a lot more functionality can rely on the user identifier and unintentionally create a new risk for CVE-2016-4423. For instance, the login throttling feature also uses the user identifier in both the lock and cache storage. Also, this patch must target 6.3, where we already have much better support for token-based user providers like @Spomky shows. So I would say I would rather challenge code that requires long user identifiers, than allowing increasing the length. |
|
Thanks everyone for reaching out ! @chalasr :
I'm good with that ! @wouterj @Spomky : |
Me neither. I don't believe, We should rather provide an alternative (if there isn't already one) than making that constant overridable. |
Yes, I mentioned it in #49830 (comment) |
|
Let's close here, as it seems to be agreed upon that this does not need fixing on the Symfony side. |
|
Indeed 👍 |
Description
Hello there !
I'm opening a dedicated issue after my original comment here
A recent 6.2 update introduced a security test in UserBadge.
A new MAX_USERNAME_LENGTH constant, set to 4096, test the length of the user identifier to prevent session storage flooding.
The fact that the constant is arbitrary set to 4096 because "it should be more than enough for normal usages" is a problem, because it only relies on personal apreciation.
There should be a way, for people who know the risks, to easily override or bypass that restriction or to change the value of MAX_USERNAME_LENGTH, but the fact that it is a class constant accessed with the "self::" keyword makes it difficult.
I gave an example where this could lead to some blocking situation in my original comment here.
A long term solution could be to add a configuration parameter to properly override MAX_USERNAME_LENGTH if set.
A short term solution could be to, at least, use the "static::" keyword in the MAX_USERNAME_LENGTH test. In that way, it would be possible to extends UserBadge with a custom class, and redefine MAX_USERNAME_LENGTH inside the extending class.
Z.
Example
Short term proposition :
In UserBadge.
Change :
For :
The text was updated successfully, but these errors were encountered: