Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-08-09 15:55:23 +02:00
Code Issues Releases Activity

fix(auth): prevent user enumeration attack [EE-6832] (#11591)
Some checks failed
ci / build_images (map[arch:amd64 platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:amd64 platform:windows version:1809]) (push) Has been cancelled
Details
ci / build_images (map[arch:amd64 platform:windows version:ltsc2022]) (push) Has been cancelled
Details
ci / build_images (map[arch:arm platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:arm64 platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:ppc64le platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:s390x platform:linux version:]) (push) Has been cancelled
Details
/ triage (push) Has been cancelled
Details
Lint / Run linters (push) Has been cancelled
Details
Test / test-client (push) Has been cancelled
Details
Test / test-server (map[arch:amd64 platform:linux]) (push) Has been cancelled
Details
Test / test-server (map[arch:amd64 platform:windows version:1809]) (push) Has been cancelled
Details
Test / test-server (map[arch:amd64 platform:windows version:ltsc2022]) (push) Has been cancelled
Details
Test / test-server (map[arch:arm64 platform:linux]) (push) Has been cancelled
Details
ci / build_manifests (push) Has been cancelled
Details

Browse source
This commit is contained in:
Matt Hook 2024-04-17 16:09:05 +12:00 committed by GitHub
parent 6f5d9c357f
commit 9191d31e92
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 456 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

13
api/http/handler/auth/authenticate.go
View file

@ -74,7 +74,12 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
return &httperror.HandlerError{StatusCode: http.StatusUnprocessableEntity, Message: "Invalid credentials", Err: httperrors.ErrUnauthorized}
// avoid username enumeration timing attack by creating a fake user
// https://en.wikipedia.org/wiki/Timing_attack
user = &portainer.User{
Username: "portainer-fake-username",
Password: "$2a$10$abcdefghijklmnopqrstuvwx..ABCDEFGHIJKLMNOPQRSTUVWXYZ12", // fake but valid format bcrypt hash
}
}
}
@ -111,7 +116,11 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
if err != nil {
return httperror.Forbidden("Only initial admin is allowed to login without oauth", err)
if errors.Is(err, httperrors.ErrUnauthorized) {
return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
}
return httperror.InternalServerError("Unable to authenticate user against LDAP", err)
}
if user == nil {

2
api/http/handler/handler.go
View file

@ -84,7 +84,7 @@ type Handler struct {
}
// @title PortainerCE API
// @version 2.19.4
// @version 2.19.5
// @description.markdown api-description.md
// @termsOfService