-
Notifications
You must be signed in to change notification settings - Fork 673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Security Warning while using for_user
method
#779
Comments
Thanks for filing. cc @robd003 This is more of a documentation thing as using |
This is an issue only if used with The "bad configuration" is:
|
I understand but there are several projects using it directly without any kind of user's active status validation which makes those projects vulnerable. |
I'm all for adding a logger.error and logger.critical, but outside of that is changing functionality and design principles. I'm not used to CVE reports and actionables in an open source context, but this is my understanding of general good design and consistent behavior for developers. Let me know if that's not how I should be approaching this and why. |
Adding logs can help users to avoid such issues. If possible let's also add more secure examples in docs so it doesn't introduce vulns in their projects. |
@Andrew-Chen-Wang Why don't add an exception raised if using As @dmdhrumilmistry says
and as the vuln doc says: so people doesn't have to check this manually: Because this line in the vuln makes it important I think:
And it won't be shown on vuln scanners. |
Hello folks. How can we go forward with this issue? Our DataDog is giving MEDIUM level for this CVE and it's hard to ignore such cases. We are safe with that, but the issue is increasing noise from our monitoring. Thank you for your effort. |
Adding that it might be a legal requirement for some users not to have this active CVE, for compliance reasons. |
There are valid use cases for utilizing
Some project don't use is_active flag such as for GDPR reasons where a full deletion is required. We have a utility user validation check function, but, as noted before, the problem is utilizing the experimental JWTStatelessUserAuthentication. This means implementing the validation check would incur a database query which completely defeats the purpose of the class. Again, this is a documentation error, that I or any willing users can make a PR for during free time. |
Definitely a valid reason that this should be ack-ed. If it's not really noticeable yet, I've been fairly disengaged due to constrained time for a solid 2 years around SimpleJWT. If anyone would like to assist with a PR (I think our RTDocs are also broken possibly?), I'm happy to take a look. |
I'm happy to spend some time on this, but I need some help understanding what the real problem is. As far as I can see, by design, we separate the logic of validating the user from creating the token, following the standard Django practice where models are kept as simple as possible, and views and serializers implement the actual business logic. That's why As the documentation also states, you need to use Changing the It also looks like I also checked a few of the projects mentioned in the CVE that are believed to be vulnerable, and they all seem to use So the TL;DR version is that, if you follow the documentation, there are no security issues with inactive users. With that being said, I think we could make the following changes:
@dmdhrumilmistry could you shed some light on this please as I might have missed something? |
CVE will only affect the projects that aren't following best practices and writing their custom authenticators without validating user status. The suggested changes seem valid to me. I haven't assigned any severity in NIST database, ratings were provided by the analysts. I've submitted an update in the GitHub advisory to mark vuln as low severity. |
Thanks, @dmdhrumilmistry and please keep us updated! To rectify my previous summary, it looks like only However, it would be beneficial to change these two serializers to behave like the Therefore, I would add one more item to the list of improvements:
As the list above is not required for the change to the CVE severity score, I think it's not an imminent priority so we could wait a bit longer to see if anyone has anything else to add before we start working on it. |
Thank you @marcofucci and @dmdhrumilmistry for your effort. We know how sometimes mentally tough is to manage open-source projects. Thank you for your contribution. |
The severity has been changed to low in GHSA Database |
Thanks for taking the time to look into this @marcofucci. I think the list looks comprehensive; it'll require a major release bump due to changing behavior of significant classes. I've been cleaning up a few tickets, but will probably not have time for this. Would love to see anyone help take on the 4 items Marco listed. |
Add security warning in for_user documentation to avoid introducing vulnerability in other applications.
Security Warning: validate whether user is active or not before generating token for the user. This will only create token for the user, it doesn't perform user validation whether user is active or not.
The text was updated successfully, but these errors were encountered: