liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: prevent user enumeration using local login timings

Browse Source
This commit is contained in:
NGPixel 2022-09-17 17:36:40 -04:00
parent 665284bf90
commit 4b3005057f
No known key found for this signature in database
GPG Key ID: 8FDA2F1757F60D63
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/modules/authentication/local/authentication.js
View File

@ -1,3 +1,5 @@
const bcrypt = require('bcryptjs-then')
/* global WIKI */ /* global WIKI */
// ------------------------------------ // ------------------------------------
@ -28,6 +30,9 @@ module.exports = {
done(null, user) done(null, user)
} }
} else { } else {
// Fake verify password to mask timing differences
await bcrypt.compare((Math.random() + 1).toString(36), '$2a$12$irXbAcQSY59pcQQfNQpY8uyhfSw48nzDikAmr60drI501nR.PuBx2')
done(new WIKI.Error.AuthLoginFailed(), null) done(new WIKI.Error.AuthLoginFailed(), null)
} }
} catch (err) { } catch (err) {