-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use brcrypt.compare for password validation instead of compareSync (#…
…7612) Signed-off-by: Vinit Sarvade <vinit.sarvade.08@gmail.com>
- Loading branch information
1 parent
77be3ea
commit dcd5254
Showing
4 changed files
with
6 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dcd5254
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @lauriejim and @alexandrebodin
Forgetting the
await
in theconst isValid = strapi.plugins['users-permissions'].services.user.validatePassword
is a massive security issue. It means the code doesn't wait for a return and the passwords aren't compared. So any password is valid.Even though this is patched, I think you should declare it for anyone on a version where this is a problem.
Thanks
Matt
dcd5254
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code was using compareSync so it didn't need an await. there was no security issues. we only moved from sync to async
dcd5254
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well not..
It's a security issue if in the code anyone use this method, if not present this change must be inserted in a migration guide.