Skip to content
Snippets Groups Projects
Commit b8d64d00 authored by ale's avatar ale
Browse files

validate usernames before querying backend

parent f0394e59
No related branches found
No related tags found
No related merge requests found
import re
from flask import abort, current_app
from authserv import auth
from authserv import protocol
......@@ -22,8 +23,34 @@ def check_ratelimit(request, username, source_ip):
abort(503)
def _validate_username(username):
"""Validate a username before fetching it from the backend.
More of a syntax check than anything. It's just to save cycles in
case of (only the most trivial of) brute-force / exploitation
attempts.
Returns the validated username (type str).
"""
if not username:
raise Exception('empty username')
if len(username) > 256:
raise Exception('name too long')
# This will throw a UnicodeEncodeError on non-ASCII usernames.
username = str(username)
# Check that it does not contain spaces or newlines.
if re.match(r'\s', username):
raise Exception('invalid characters in username')
return username
def do_auth(username, service, shard, password, otp_token, source_ip,
password_only=False):
# Username must be an ASCII string.
bl = AuthBlackList(current_app.config.get('BLACKLIST_COUNT', 5),
current_app.config.get('BLACKLIST_PERIOD', 600),
current_app.config.get('BLACKLIST_TIME', 6*3600))
......@@ -38,6 +65,12 @@ def do_auth(username, service, shard, password, otp_token, source_ip,
retval = protocol.ERR_AUTHENTICATION_FAILURE
errmsg = 'user does not exist'
out_shard = None
try:
username = _validate_username(username)
except:
return (retval, errmsg, None)
user = current_app.userdb.get_user(username, service, shard)
if user:
retval, errmsg = auth.authenticate(
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment