Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change user workflows to prevent user enumeration attacks #8537

Merged
merged 2 commits into from
Dec 14, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ Decidim.configure do |config|
end
```

#### User workflows change to prevent user enumeration attacks

Until now it was possible to see if an email account was registered in Decidim, by using features like "Forgot your password", as the response changed if the email existed ("`You will receive an email with instructions on how to reset your password in a few minutes`") that's different to a non-existing user account ("`could not be found. Did you sign up previously?`"). This allows User Enumration attacks, where a malicious actor can check if anyone has an acount in the platform. As per [\#8537](https://github.com/decidim/decidim/pull/8537), anyone has the same answer always "`If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes`".

### Added
* [#8012](https://github.com/decidim/decidim/pull/8012) Participatory space to comments, to fix the statistics. Use
`rake decidim_comments:update_participatory_process_in_comments` to migrate existing comments to the new structure.
Expand Down
2 changes: 1 addition & 1 deletion decidim-core/config/initializers/devise.rb
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ def respond
# It will change confirmation, password recovery and other workflows
# to behave the same regardless if the e-mail provided was right or wrong.
# Does not affect registerable.
# config.paranoid = true
config.paranoid = true

# By default Devise will store the user in session. You can skip storage for
# particular strategies by setting this option.
Expand Down
30 changes: 25 additions & 5 deletions decidim-core/spec/system/authentication_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -330,9 +330,20 @@
perform_enqueued_jobs { find("*[type=submit]").click }
end

expect(page).to have_content("reset your password")
expect(page).to have_content("If your email address exists in our database")
expect(emails.count).to eq(1)
end

it "says it sends a password recovery email when is a non-existing email" do
visit decidim.new_user_password_path

within ".new_user" do
fill_in :password_user_email, with: "nonexistent@example.org"
find("*[type=submit]").click
end

expect(page).to have_content("If your email address exists in our database")
end
end

describe "Reset password" do
Expand Down Expand Up @@ -389,14 +400,14 @@
end
end

it "shows the last attempt warning before locking the account" do
it "doesn't show the last attempt warning before locking the account" do
within ".new_user" do
fill_in :session_user_email, with: user.email
fill_in :session_user_password, with: "not-the-pasword"
find("*[type=submit]").click
end

expect(page).to have_content("You have one more attempt before your account is locked.")
expect(page).to have_content("Invalid")
end
end

Expand All @@ -421,7 +432,7 @@
perform_enqueued_jobs { find("*[type=submit]").click }
end

expect(page).to have_content("Your account is locked.")
expect(page).to have_content("Invalid")
expect(emails.count).to eq(1)
end
end
Expand All @@ -440,9 +451,18 @@
perform_enqueued_jobs { find("*[type=submit]").click }
end

expect(page).to have_content("You will receive an email with instructions for how to unlock your account in a few minutes.")
expect(page).to have_content("If your account exists")
expect(emails.count).to eq(1)
end

it "says it resends the unlock instructions when is a non-existing user account" do
within ".new_user" do
fill_in :unlock_user_email, with: user.email
find("*[type=submit]").click
end

expect(page).to have_content("If your account exists")
end
end

describe "Unlock account" do
Expand Down