fix: possible unauthenticated SQL injection when login (#1383)

* fix: possible unauthenticated SQL injection when login * add to api layer * update ldap_auth
pinterest · Dec 8, 2023 · 7214963 · 7214963
1 parent 2c71a8a
commit 7214963
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 6 deletions.
diff --git a/querybook/server/app/auth/ldap_auth.py b/querybook/server/app/auth/ldap_auth.py
@@ -121,6 +121,9 @@ def ldap_authenticate(ldap_conn: SimpleLDAPObject, user_dn: str, password: str):
 
 @with_session
 def login_user(username: str, email: str, full_name: str, session=None):
+    if not username or not isinstance(username, str):
+        raise AuthenticationError("Please provide a valid username")
+
     # Case-insensitive search of the user for backward compatibility.
     # Because it was possible to create e.g. uppercase usernames before.
     user = get_user_by_name(username, case_sensitive=False, session=session)

diff --git a/querybook/server/app/auth/oauth_auth.py b/querybook/server/app/auth/oauth_auth.py
@@ -127,8 +127,8 @@ def _parse_user_profile(self, profile_response):
 
     @with_session
     def login_user(self, username, email, session=None):
-        if not username:
-            raise AuthenticationError("Username must not be empty!")
+        if not username or not isinstance(username, str):
+            raise AuthenticationError("Please provide a valid username")
 
         user = get_user_by_name(username, session=session)
         if not user:

diff --git a/querybook/server/app/auth/okta_auth.py b/querybook/server/app/auth/okta_auth.py
@@ -115,8 +115,8 @@ def _parse_user_profile(self, resp):
 
     @with_session
     def login_user(self, username, email, fullname, session=None):
-        if not username:
-            raise AuthenticationError("Username must not be empty!")
+        if not username or not isinstance(username, str):
+            raise AuthenticationError("Please provide a valid username")
 
         user = get_user_by_name(username, session=session)
         if not user:

diff --git a/querybook/server/app/auth/password_auth.py b/querybook/server/app/auth/password_auth.py
@@ -26,8 +26,8 @@ def authenticate(username, password, session=None):
     :raise AuthenticationError: if an error occurred
     :return: a PasswordUser
     """
-    if not username:
-        raise AuthenticationError("Please provide a username")
+    if not username or not isinstance(username, str):
+        raise AuthenticationError("Please provide a valid username")
 
     if not password:
         raise AuthenticationError("Please provide a password")