Skip to content

Commit af08800

Browse files
authored
Username enumeration fix (#2144)
1 parent 319b2d0 commit af08800

11 files changed

Lines changed: 503 additions & 45 deletions

File tree

.github/workflows/regular-tests.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
with:
1515
go-version: 'stable'
1616
- working-directory: backend
17-
run: go test -race -v ./...
17+
run: go test -race -v ./... -timeout 30s
1818
lint-backend:
1919
runs-on: ubuntu-latest
2020
steps:

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file. For commit
44

55
## v1.3.2-beta
66

7+
**Security**:
8+
- Patched Username Enumeration via Authentication Timing Side-Channel GHSA-7789-65hx-f26w
9+
710
**Notes**:
811
- Downloading multiple files streams the archive creation rather than using cacheDir -- thanks @janakoram (#2125) (#2130)
912
- `server.maxArchiveSizeGB` deprecated since its no longer an issue with archive streaming.

backend/auth/json.go

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"strings"
1010

1111
"github.com/gtsteffaniak/filebrowser/backend/common/errors"
12+
"github.com/gtsteffaniak/filebrowser/backend/common/utils"
1213
"github.com/gtsteffaniak/filebrowser/backend/database/users"
1314
)
1415

@@ -42,15 +43,21 @@ func (auther JSONAuth) Auth(r *http.Request, userStore *users.Storage) (*users.U
4243
}
4344
}
4445

45-
user, err := userStore.Get(username)
46-
if err != nil {
47-
return nil, fmt.Errorf("unable to get user from store: %v", err)
46+
user, getErr := userStore.Get(username)
47+
var passwordHash string
48+
if getErr != nil {
49+
passwordHash = utils.InvalidPasswordHash
50+
} else {
51+
passwordHash = user.Password
4852
}
49-
err = users.CheckPwd(password, user.Password)
53+
// always run checkPwd to prevent timing attacks
54+
err = utils.CheckPwd(password, passwordHash)
5055
if err != nil {
5156
return nil, err
5257
}
53-
58+
if getErr != nil {
59+
return nil, fmt.Errorf("unable to get user from store: %v", err)
60+
}
5461
// check for OTP for password
5562
if user.TOTPSecret != "" {
5663
if totpCode == "" {

0 commit comments

Comments
 (0)