llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-09-07 11:00:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: password leakage vulnerability caused by pagination (#527)

Browse Source 
* fix: password leakage vulnerability caused by pagination

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

* fix: unsafe get-app-login response fields

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
This commit is contained in:
Yixiang Zhao
2022-03-02 20:58:16 +08:00
committed by GitHub
parent 2a0dcd746f
commit 83a6b757a4
3 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
controllers/auth.go
View File

@@ -118,6 +118,7 @@ func (c *ApiController) GetApplicationLogin() {
state := c.Input().Get("state") state := c.Input().Get("state")
msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state) msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
application = object.GetMaskedApplication(application, "")
if msg != "" { if msg != "" {
c.ResponseError(msg, application) c.ResponseError(msg, application)
} else { } else {

2
controllers/user.go
View File

@@ -44,6 +44,7 @@ func (c *ApiController) GetGlobalUsers() {
limit := util.ParseInt(limit) limit := util.ParseInt(limit)
paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount(field, value))) paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount(field, value)))
users := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder) users := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
users = object.GetMaskedUsers(users)
c.ResponseOk(users, paginator.Nums()) c.ResponseOk(users, paginator.Nums())
} }
} }
@@ -70,6 +71,7 @@ func (c *ApiController) GetUsers() {
limit := util.ParseInt(limit) limit := util.ParseInt(limit)
paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner, field, value))) paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner, field, value)))
users := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder) users := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
users = object.GetMaskedUsers(users)
c.ResponseOk(users, paginator.Nums()) c.ResponseOk(users, paginator.Nums())
} }
} }

14
object/application.go
View File

@@ -217,7 +217,19 @@ func GetMaskedApplication(application *Application, userId string) *Application
if application.ClientSecret != "" { if application.ClientSecret != "" {
application.ClientSecret = "***" application.ClientSecret = "***"
} }
return application
if application.OrganizationObj != nil {
if application.OrganizationObj.MasterPassword != "" {
application.OrganizationObj.MasterPassword = "***"
}
if application.OrganizationObj.PasswordType != "" {
application.OrganizationObj.PasswordType = "***"
}
if application.OrganizationObj.PasswordSalt != "" {
application.OrganizationObj.PasswordSalt = "***"
}
}
return application
} }
func GetMaskedApplications(applications []*Application, userId string) []*Application { func GetMaskedApplications(applications []*Application, userId string) []*Application {