Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect workaround provided in GitHub Advisory CVE-2024-32879 #605

Closed
ssadanah opened this issue Aug 27, 2024 · 1 comment
Closed

Incorrect workaround provided in GitHub Advisory CVE-2024-32879 #605

ssadanah opened this issue Aug 27, 2024 · 1 comment

Comments

@ssadanah
Copy link

Expected behaviour

GitHub Advisory CVE-2024-32879 provides details of an exploit on case-insensitive checks on uid in the table social_auth_association. The workaround proposed is to alter the collation type to utf8_bin.

The issue here is that the advisory incorrectly references the table social_auth_association.

Recommended fix for the advisory

The actual exploit for uid exists in the table social_auth_usersocialauth. There is no uid parameter in any other table referenced in the social-app-django project.

So the recommended workaround in CVE-2024-32879 needs to be updated from

ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;    //Incorrect 'social_auth_association'

to

ALTER TABLE `social_auth_usersocialauth` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

What are the steps to reproduce this issue?

No repro required. You can check the schema of the tables in social-app-django/social_django/migrations/0001_initial.py which has the potentially exploitable uid parameter

        migrations.CreateModel(
            name="UserSocialAuth",
            fields=[
                (
                    "id",
                    models.AutoField(
                        verbose_name="ID",
                        serialize=False,
                        auto_created=True,
                        primary_key=True,
                    ),
                ),
                ("provider", models.CharField(max_length=32)),
                ("uid", models.CharField(max_length=UID_LENGTH)),     //<------------------ Exploitable uid
                ("extra_data", JSONField(default="{}")),
                (
                    "user",
                    models.ForeignKey(
                        related_name="social_auth",
                        to=USER_MODEL,
                        on_delete=models.CASCADE,
                    ),
                ),
            ],
            options={
                "db_table": "social_auth_usersocialauth",        //<------------------ This is the table
            },
            bases=(models.Model, DjangoUserMixin),
        ),

Any logs, error output, etc?

Attempting to apply the workaround mentioned in the exploit fails.

ALTER TABLE "social_auth_association" ALTER COLUMN "uid" TYPE varchar(255) COLLATE "utf8_bin";
ERROR:  column "uid" of relation "social_auth_association" does not exist

Any other comments?

Recommended action - No change required in Codebase. #566 is sufficient. Only the workaround in the advisory needs to be updated to reflect the correct table.
@python-social-auth python-social-auth deleted a comment Aug 28, 2024
@nijel
Copy link
Member

nijel commented Aug 28, 2024

Thanks for noticing this, I've just updated the advisory.

@nijel nijel closed this as completed Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nijel @ssadanah