|
 |
83f9de |
From 5aa2c77ac1ac544ed6b3a2c5efa767e53b810c3b Mon Sep 17 00:00:00 2001
|
|
|
83f9de |
From: linoman <2051016+linoman@users.noreply.github.com>
|
|
|
83f9de |
Date: Fri, 16 Sep 2022 10:46:44 +0200
|
|
|
83f9de |
Subject: [PATCH] fix CVE-2022-39229
|
|
|
83f9de |
|
|
|
83f9de |
Swap order of login fields
|
|
|
83f9de |
|
|
|
83f9de |
(cherry picked from commit 5ec176cada3d8adf651f844e3f707bc469495abd)
|
|
|
83f9de |
|
|
|
83f9de |
Add test for username/login field conflict
|
|
|
83f9de |
|
|
|
83f9de |
(cherry picked from commit 7aabcf26944835b0418eec6b057a0b186ff206bf)
|
|
|
83f9de |
|
|
|
83f9de |
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
|
|
|
83f9de |
Co-authored-by: dsotirakis <dimitrios.sotirakis@grafana.com>
|
|
|
83f9de |
|
|
|
83f9de |
diff --git a/pkg/services/sqlstore/user.go b/pkg/services/sqlstore/user.go
|
|
|
83f9de |
index 3dba16a75e..d773bd9dfe 100644
|
|
|
83f9de |
--- a/pkg/services/sqlstore/user.go
|
|
|
83f9de |
+++ b/pkg/services/sqlstore/user.go
|
|
|
83f9de |
@@ -298,19 +298,24 @@ func GetUserByLogin(query *models.GetUserByLoginQuery) error {
|
|
|
83f9de |
return models.ErrUserNotFound
|
|
|
83f9de |
}
|
|
|
83f9de |
|
|
|
83f9de |
- // Try and find the user by login first.
|
|
|
83f9de |
- // It's not sufficient to assume that a LoginOrEmail with an "@" is an email.
|
|
|
83f9de |
+ var has bool
|
|
|
83f9de |
+ var err error
|
|
|
83f9de |
user := &models.User{Login: query.LoginOrEmail}
|
|
|
83f9de |
- has, err := x.Get(user)
|
|
|
83f9de |
|
|
|
83f9de |
- if err != nil {
|
|
|
83f9de |
- return err
|
|
|
83f9de |
+ // Since username can be an email address, attempt login with email address
|
|
|
83f9de |
+ // first if the login field has the "@" symbol.
|
|
|
83f9de |
+ if strings.Contains(query.LoginOrEmail, "@") {
|
|
|
83f9de |
+ user = &models.User{Email: query.LoginOrEmail}
|
|
|
83f9de |
+ has, err = x.Get(user)
|
|
|
83f9de |
+
|
|
|
83f9de |
+ if err != nil {
|
|
|
83f9de |
+ return err
|
|
|
83f9de |
+ }
|
|
|
83f9de |
}
|
|
|
83f9de |
|
|
|
83f9de |
- if !has && strings.Contains(query.LoginOrEmail, "@") {
|
|
|
83f9de |
- // If the user wasn't found, and it contains an "@" fallback to finding the
|
|
|
83f9de |
- // user by email.
|
|
|
83f9de |
- user = &models.User{Email: query.LoginOrEmail}
|
|
|
83f9de |
+ // Lookup the login field instead of email field
|
|
|
83f9de |
+ if !has {
|
|
|
83f9de |
+ user = &models.User{Login: query.LoginOrEmail}
|
|
|
83f9de |
has, err = x.Get(user)
|
|
|
83f9de |
}
|
|
|
83f9de |
|
|
|
83f9de |
diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go
|
|
|
83f9de |
index aa796ffb02..7fb9d9be2a 100644
|
|
|
83f9de |
--- a/pkg/services/sqlstore/user_test.go
|
|
|
83f9de |
+++ b/pkg/services/sqlstore/user_test.go
|
|
|
83f9de |
@@ -42,6 +43,45 @@ func TestUserDataAccess(t *testing.T) {
|
|
|
83f9de |
})
|
|
|
83f9de |
})
|
|
|
83f9de |
|
|
|
83f9de |
+ Convey("Get User by login - user_2 uses user_1.email as login", func() {
|
|
|
83f9de |
+ ss = InitTestDB(t)
|
|
|
83f9de |
+
|
|
|
83f9de |
+ // create user_1
|
|
|
83f9de |
+ cmd1 := &models.CreateUserCommand{
|
|
|
83f9de |
+ Email: "user_1@mail.com",
|
|
|
83f9de |
+ Name: "user_1",
|
|
|
83f9de |
+ Login: "user_1",
|
|
|
83f9de |
+ Password: "user_1_password",
|
|
|
83f9de |
+ IsDisabled: true,
|
|
|
83f9de |
+ }
|
|
|
83f9de |
+ err := CreateUser(context.Background(), cmd1)
|
|
|
83f9de |
+ So(err, ShouldBeNil)
|
|
|
83f9de |
+
|
|
|
83f9de |
+ // create user_2
|
|
|
83f9de |
+ cmd2 := &models.CreateUserCommand{
|
|
|
83f9de |
+ Email: "user_2@mail.com",
|
|
|
83f9de |
+ Name: "user_2",
|
|
|
83f9de |
+ Login: "user_1@mail.com",
|
|
|
83f9de |
+ Password: "user_2_password",
|
|
|
83f9de |
+ IsDisabled: true,
|
|
|
83f9de |
+ }
|
|
|
83f9de |
+ err = CreateUser(context.Background(), cmd2)
|
|
|
83f9de |
+ So(err, ShouldBeNil)
|
|
|
83f9de |
+
|
|
|
83f9de |
+ // query user database for user_1 email
|
|
|
83f9de |
+ query := models.GetUserByLoginQuery{LoginOrEmail: "user_1@mail.com"}
|
|
|
83f9de |
+ err = GetUserByLogin(&query)
|
|
|
83f9de |
+ So(err, ShouldBeNil)
|
|
|
83f9de |
+
|
|
|
83f9de |
+ // expect user_1 as result
|
|
|
83f9de |
+ So(query.Result.Email, ShouldEqual, cmd1.Email)
|
|
|
83f9de |
+ So(query.Result.Login, ShouldEqual, cmd1.Login)
|
|
|
83f9de |
+ So(query.Result.Name, ShouldEqual, cmd1.Name)
|
|
|
83f9de |
+ So(query.Result.Email, ShouldNotEqual, cmd2.Email)
|
|
|
83f9de |
+ So(query.Result.Login, ShouldNotEqual, cmd2.Login)
|
|
|
83f9de |
+ So(query.Result.Name, ShouldNotEqual, cmd2.Name)
|
|
|
83f9de |
+ })
|
|
|
83f9de |
+
|
|
|
83f9de |
Convey("Creates disabled user", func() {
|
|
|
83f9de |
cmd := &models.CreateUserCommand{
|
|
|
83f9de |
Email: "usertest@test.com",
|