-
Notifications
You must be signed in to change notification settings - Fork 655
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Security Warning while using for_user
method
#779
Comments
Thanks for filing. cc @robd003 This is more of a documentation thing as using |
This is an issue only if used with The "bad configuration" is:
|
I understand but there are several projects using it directly without any kind of user's active status validation which makes those projects vulnerable. |
I'm all for adding a logger.error and logger.critical, but outside of that is changing functionality and design principles. I'm not used to CVE reports and actionables in an open source context, but this is my understanding of general good design and consistent behavior for developers. Let me know if that's not how I should be approaching this and why. |
Adding logs can help users to avoid such issues. If possible let's also add more secure examples in docs so it doesn't introduce vulns in their projects. |
@Andrew-Chen-Wang Why don't add an exception raised if using As @dmdhrumilmistry says
and as the vuln doc says: so people doesn't have to check this manually: Because this line in the vuln makes it important I think:
And it won't be shown on vuln scanners. |
Hello folks. How can we go forward with this issue? Our DataDog is giving MEDIUM level for this CVE and it's hard to ignore such cases. We are safe with that, but the issue is increasing noise from our monitoring. Thank you for your effort. |
Adding that it might be a legal requirement for some users not to have this active CVE, for compliance reasons. |
There are valid use cases for utilizing
Some project don't use is_active flag such as for GDPR reasons where a full deletion is required. We have a utility user validation check function, but, as noted before, the problem is utilizing the experimental JWTStatelessUserAuthentication. This means implementing the validation check would incur a database query which completely defeats the purpose of the class. Again, this is a documentation error, that I or any willing users can make a PR for during free time. |
Definitely a valid reason that this should be ack-ed. If it's not really noticeable yet, I've been fairly disengaged due to constrained time for a solid 2 years around SimpleJWT. If anyone would like to assist with a PR (I think our RTDocs are also broken possibly?), I'm happy to take a look. |
Add security warning in for_user documentation to avoid introducing vulnerability in other applications.
Security Warning: validate whether user is active or not before generating token for the user. This will only create token for the user, it doesn't perform user validation whether user is active or not.
The text was updated successfully, but these errors were encountered: