Leaking sensitive LDAP information and granting bruteforce authentication

In case of LDAP based authentication `AUTHENTICATION_TYPE: LDAP` Quay leaks sensitive information through replying with either:

Invalid username
Invalid password

Following best practices we should not reveal if a username is valid and the password provided is wrong.

visible in data/users/externalldap.py

            if not referral_dn:
                return (None, "Invalid username")            try:
                with LDAPConnection(
                    self._ldap_uri, referral_dn, password, self._allow_tls_fallback
                ):
                    pass
            except ldap.INVALID_CREDENTIALS:
                logger.debug("Invalid LDAP credentials")
                return (None, "Invalid password")        except ldap.INVALID_CREDENTIALS:
            logger.debug("Invalid LDAP credentials")
            return (None, "Invalid password")

further more, the externalldap authentication lacks the verify_user method call ensuring that Quay doesn't grant brute force authentication.

This method is used in

data/model/user.py
data/users/database.py
oauth/services/github.py
oauth/services/google.py
oauth/login.py

but is missed in data/users/externalldap.py as well as a `DEBUG` log line showing that authentication has failed.

Additionally it would be nice, to include such stats to be exported in metrics and monitored accordingly through metrics services.

Attachments

Issue Links

duplicates

PROJQUAY-4845 Quay web interface should not divulge user existence and password mismatch

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Michaela Lang

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2023/02/17 3:52 PM

Updated:: 2023/04/10 3:16 PM

Resolved:: 2023/04/10 3:16 PM