mirror of
https://github.com/portainer/portainer.git
synced 2025-07-19 21:39:40 +02:00
fix(auth): prevent user enumeration attack [EE-6832] (#11589)
Some checks are pending
ci / build_images (map[arch:amd64 platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:amd64 platform:windows version:1809]) (push) Waiting to run
ci / build_images (map[arch:amd64 platform:windows version:ltsc2022]) (push) Waiting to run
ci / build_images (map[arch:arm platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:arm64 platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:ppc64le platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:s390x platform:linux version:]) (push) Waiting to run
ci / build_manifests (push) Blocked by required conditions
/ triage (push) Waiting to run
Lint / Run linters (push) Waiting to run
Test / test-client (push) Waiting to run
Test / test-server (map[arch:amd64 platform:linux]) (push) Waiting to run
Test / test-server (map[arch:amd64 platform:windows version:1809]) (push) Waiting to run
Test / test-server (map[arch:amd64 platform:windows version:ltsc2022]) (push) Waiting to run
Test / test-server (map[arch:arm64 platform:linux]) (push) Waiting to run
Some checks are pending
ci / build_images (map[arch:amd64 platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:amd64 platform:windows version:1809]) (push) Waiting to run
ci / build_images (map[arch:amd64 platform:windows version:ltsc2022]) (push) Waiting to run
ci / build_images (map[arch:arm platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:arm64 platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:ppc64le platform:linux version:]) (push) Waiting to run
ci / build_images (map[arch:s390x platform:linux version:]) (push) Waiting to run
ci / build_manifests (push) Blocked by required conditions
/ triage (push) Waiting to run
Lint / Run linters (push) Waiting to run
Test / test-client (push) Waiting to run
Test / test-server (map[arch:amd64 platform:linux]) (push) Waiting to run
Test / test-server (map[arch:amd64 platform:windows version:1809]) (push) Waiting to run
Test / test-server (map[arch:amd64 platform:windows version:ltsc2022]) (push) Waiting to run
Test / test-server (map[arch:arm64 platform:linux]) (push) Waiting to run
This commit is contained in:
Matt Hook
GitHub
parent
d9df58e93a
commit
48bc7d0d92
2 changed files with 19 additions and 3 deletions
|
|
@ -75,7 +75,12 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
|
||||||
if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
|
if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
|
||||||
settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
|
settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
|
||||||
(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
|
(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
|
||||||
return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
|
// avoid username enumeration timing attack by creating a fake user
|
||||||
|
// https://en.wikipedia.org/wiki/Timing_attack
|
||||||
|
user = &portainer.User{
|
||||||
|
Username: "portainer-fake-username",
|
||||||
|
Password: "$2a$10$abcdefghijklmnopqrstuvwx..ABCDEFGHIJKLMNOPQRSTUVWXYZ12", // fake but valid format bcrypt hash
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -112,7 +117,11 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
|
||||||
func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
|
func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
|
||||||
err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
|
err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return httperror.Forbidden("Only initial admin is allowed to login without oauth", err)
|
if errors.Is(err, httperrors.ErrUnauthorized) {
|
||||||
|
return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
|
||||||
|
}
|
||||||
|
|
||||||
|
return httperror.InternalServerError("Unable to authenticate user against LDAP", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if user == nil {
|
if user == nil {
|
||||||
|
|
|
||||||
|
|
@ -75,7 +75,14 @@ func (*Service) AuthenticateUser(username, password string, settings *portainer.
|
||||||
|
|
||||||
userDN, err := searchUser(username, connection, settings.SearchSettings)
|
userDN, err := searchUser(username, connection, settings.SearchSettings)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
if errors.Is(err, errUserNotFound) {
|
||||||
|
// prevent user enumeration timing attack by attempting the bind with a fake user
|
||||||
|
// and whatever password was provided should definately fail
|
||||||
|
// https://en.wikipedia.org/wiki/Timing_attack
|
||||||
|
userDN = "portainer-fake-ldap-username"
|
||||||
|
} else {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
err = connection.Bind(userDN, password)
|
err = connection.Bind(userDN, password)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue