Verify OAuth Username vuln and fix closes #9
This commit is contained in:
parent
289be46388
commit
17132ebc19
|
@ -2,7 +2,6 @@
|
||||||
import json
|
import json
|
||||||
from logging import getLogger
|
from logging import getLogger
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
from requests.exceptions import RequestException
|
from requests.exceptions import RequestException
|
||||||
|
|
||||||
from passbook.oauth_client.clients import OAuth2Client
|
from passbook.oauth_client.clients import OAuth2Client
|
||||||
|
@ -50,12 +49,11 @@ class DiscordOAuth2Callback(OAuthCallback):
|
||||||
client_class = DiscordOAuth2Client
|
client_class = DiscordOAuth2Client
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('username'),
|
'username': info.get('username'),
|
||||||
'email': info.get('email', 'None'),
|
'email': info.get('email', 'None'),
|
||||||
'first_name': info.get('username'),
|
'first_name': info.get('username'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
discord_user = user_get_or_create(user_model=user, **user_data)
|
discord_user = user_get_or_create(**user_data)
|
||||||
return discord_user
|
return discord_user
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
"""Facebook OAuth Views"""
|
"""Facebook OAuth Views"""
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
|
|
||||||
from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
|
from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
|
||||||
from passbook.oauth_client.utils import user_get_or_create
|
from passbook.oauth_client.utils import user_get_or_create
|
||||||
from passbook.oauth_client.views.core import OAuthCallback, OAuthRedirect
|
from passbook.oauth_client.views.core import OAuthCallback, OAuthRedirect
|
||||||
|
@ -22,12 +20,11 @@ class FacebookOAuth2Callback(OAuthCallback):
|
||||||
"""Facebook OAuth2 Callback"""
|
"""Facebook OAuth2 Callback"""
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('name'),
|
'username': info.get('name'),
|
||||||
'email': info.get('email', ''),
|
'email': info.get('email', ''),
|
||||||
'first_name': info.get('name'),
|
'first_name': info.get('name'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
fb_user = user_get_or_create(user_model=user, **user_data)
|
fb_user = user_get_or_create(**user_data)
|
||||||
return fb_user
|
return fb_user
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
"""GitHub OAuth Views"""
|
"""GitHub OAuth Views"""
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
|
|
||||||
from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
|
from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
|
||||||
from passbook.oauth_client.utils import user_get_or_create
|
from passbook.oauth_client.utils import user_get_or_create
|
||||||
from passbook.oauth_client.views.core import OAuthCallback
|
from passbook.oauth_client.views.core import OAuthCallback
|
||||||
|
@ -12,12 +10,11 @@ class GitHubOAuth2Callback(OAuthCallback):
|
||||||
"""GitHub OAuth2 Callback"""
|
"""GitHub OAuth2 Callback"""
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('login'),
|
'username': info.get('login'),
|
||||||
'email': info.get('email', ''),
|
'email': info.get('email', ''),
|
||||||
'first_name': info.get('name'),
|
'first_name': info.get('name'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
gh_user = user_get_or_create(user_model=user, **user_data)
|
gh_user = user_get_or_create(**user_data)
|
||||||
return gh_user
|
return gh_user
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
"""Google OAuth Views"""
|
"""Google OAuth Views"""
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
|
|
||||||
from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
|
from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
|
||||||
from passbook.oauth_client.utils import user_get_or_create
|
from passbook.oauth_client.utils import user_get_or_create
|
||||||
from passbook.oauth_client.views.core import OAuthCallback, OAuthRedirect
|
from passbook.oauth_client.views.core import OAuthCallback, OAuthRedirect
|
||||||
|
@ -21,12 +19,11 @@ class GoogleOAuth2Callback(OAuthCallback):
|
||||||
"""Google OAuth2 Callback"""
|
"""Google OAuth2 Callback"""
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('email'),
|
'username': info.get('email'),
|
||||||
'email': info.get('email', ''),
|
'email': info.get('email', ''),
|
||||||
'first_name': info.get('name'),
|
'first_name': info.get('name'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
google_user = user_get_or_create(user_model=user, **user_data)
|
google_user = user_get_or_create(**user_data)
|
||||||
return google_user
|
return google_user
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
import json
|
import json
|
||||||
from logging import getLogger
|
from logging import getLogger
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
from requests.auth import HTTPBasicAuth
|
from requests.auth import HTTPBasicAuth
|
||||||
from requests.exceptions import RequestException
|
from requests.exceptions import RequestException
|
||||||
|
|
||||||
|
@ -59,12 +58,11 @@ class RedditOAuth2Callback(OAuthCallback):
|
||||||
client_class = RedditOAuth2Client
|
client_class = RedditOAuth2Client
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('name'),
|
'username': info.get('name'),
|
||||||
'email': None,
|
'email': None,
|
||||||
'first_name': info.get('name'),
|
'first_name': info.get('name'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
reddit_user = user_get_or_create(user_model=user, **user_data)
|
reddit_user = user_get_or_create(**user_data)
|
||||||
return reddit_user
|
return reddit_user
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
import json
|
import json
|
||||||
from logging import getLogger
|
from logging import getLogger
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
from requests.exceptions import RequestException
|
from requests.exceptions import RequestException
|
||||||
|
|
||||||
from passbook.oauth_client.clients import OAuth2Client
|
from passbook.oauth_client.clients import OAuth2Client
|
||||||
|
@ -44,12 +43,11 @@ class SupervisrOAuthCallback(OAuthCallback):
|
||||||
return info['pk']
|
return info['pk']
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('username'),
|
'username': info.get('username'),
|
||||||
'email': info.get('email', ''),
|
'email': info.get('email', ''),
|
||||||
'first_name': info.get('first_name'),
|
'first_name': info.get('first_name'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
sv_user = user_get_or_create(user_model=user, **user_data)
|
sv_user = user_get_or_create(**user_data)
|
||||||
return sv_user
|
return sv_user
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
|
|
||||||
from logging import getLogger
|
from logging import getLogger
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
from requests.exceptions import RequestException
|
from requests.exceptions import RequestException
|
||||||
|
|
||||||
from passbook.oauth_client.clients import OAuthClient
|
from passbook.oauth_client.clients import OAuthClient
|
||||||
|
@ -36,12 +35,11 @@ class TwitterOAuthCallback(OAuthCallback):
|
||||||
client_class = TwitterOAuthClient
|
client_class = TwitterOAuthClient
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
user = get_user_model()
|
|
||||||
user_data = {
|
user_data = {
|
||||||
user.USERNAME_FIELD: info.get('screen_name'),
|
'username': info.get('screen_name'),
|
||||||
'email': info.get('email', ''),
|
'email': info.get('email', ''),
|
||||||
'first_name': info.get('name'),
|
'first_name': info.get('name'),
|
||||||
'password': None,
|
'password': None,
|
||||||
}
|
}
|
||||||
tw_user = user_get_or_create(user_model=user, **user_data)
|
tw_user = user_get_or_create(**user_data)
|
||||||
return tw_user
|
return tw_user
|
||||||
|
|
|
@ -1,16 +1,17 @@
|
||||||
"""OAuth Client User Creation Utils"""
|
"""OAuth Client User Creation Utils"""
|
||||||
|
|
||||||
from django.contrib.auth import get_user_model
|
|
||||||
from django.db.utils import IntegrityError
|
from django.db.utils import IntegrityError
|
||||||
|
|
||||||
|
from passbook.core.models import User
|
||||||
|
|
||||||
def user_get_or_create(user_model=None, **kwargs):
|
|
||||||
|
def user_get_or_create(**kwargs):
|
||||||
"""Create user or return existing user"""
|
"""Create user or return existing user"""
|
||||||
if user_model is None:
|
|
||||||
user_model = get_user_model()
|
|
||||||
try:
|
try:
|
||||||
new_user = user_model.objects.create_user(**kwargs)
|
new_user = User.objects.create_user(**kwargs)
|
||||||
except IntegrityError:
|
except IntegrityError:
|
||||||
# TODO: Fix potential username change vuln
|
# At this point we've already checked that there is no existing connection
|
||||||
new_user = user_model.objects.get(username=kwargs['username'])
|
# to any user. Hence if we can't create the user,
|
||||||
|
kwargs['username'] = '%s_1' % kwargs['username']
|
||||||
|
new_user = User.objects.create_user(**kwargs)
|
||||||
return new_user
|
return new_user
|
||||||
|
|
|
@ -113,7 +113,9 @@ class OAuthCallback(OAuthClientMixin, View):
|
||||||
)
|
)
|
||||||
user = authenticate(source=self.source, identifier=identifier, request=request)
|
user = authenticate(source=self.source, identifier=identifier, request=request)
|
||||||
if user is None:
|
if user is None:
|
||||||
|
LOGGER.debug("Handling new user")
|
||||||
return self.handle_new_user(self.source, connection, info)
|
return self.handle_new_user(self.source, connection, info)
|
||||||
|
LOGGER.debug("Handling existing user")
|
||||||
return self.handle_existing_user(self.source, user, connection, info)
|
return self.handle_existing_user(self.source, user, connection, info)
|
||||||
|
|
||||||
# pylint: disable=unused-argument
|
# pylint: disable=unused-argument
|
||||||
|
|
Reference in New Issue