box: don't stop parsing authentication request if user doesn't exist
Currently, we stop without checking the authentication request body if the specified user doesn't exist. As a result, one can check if a user exists by sending a malformed authentication request: for an existing user, the server will reply with ER_INVALID_MSGPACK error while if the user doesn't exist, the error will be set to ER_CREDS_MISMATCH. To fix this, let's parse the authentication request body even if the user doesn't exist. Closes https://github.com/tarantool/security/issues/21 NO_DOC=bug fix
Showing
- changelogs/unreleased/ghs-21-user-enumeration.md 4 additions, 0 deletionschangelogs/unreleased/ghs-21-user-enumeration.md
- src/box/authentication.cc 10 additions, 12 deletionssrc/box/authentication.cc
- test/box-luatest/ghs_16_user_enumeration_test.lua 78 additions, 0 deletionstest/box-luatest/ghs_16_user_enumeration_test.lua
Loading
Please register or sign in to comment