🎉 Make social auth exceptions configurable #13596

DryRun Security

General Security Analyzer Findings: 1 detected

⚠️ Information Disclosure via Distinct Error Messages dojo/settings/settings.dist.py (click for details)

Type

Information Disclosure via Distinct Error Messages

Description

The system provides distinct error messages for different social authentication failure states. Specifically, the 'AuthForbidden' message ('You are not authorized to log in via this method.') implies that a user account exists but is not permitted to use social login, while the 'AuthFailed' message ('Social login failed.') is more generic. This distinction allows an attacker to enumerate valid user accounts by observing which error message is returned for a given login attempt.

Filename

dojo/settings/settings.dist.py

CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 180 to 183 in 2c06e6e

    
           DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN=(str, "You are not authorized to log in via this method. Please contact support or use the standard login."), 
        
           DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE=(str, "An unexpected error occurred during social login. Please use the standard login."), 
        
           DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR=(str, "Social login failed due to an invalid or expired token. Please try again or use the standard login."), 
        
           DD_SAML2_ENABLED=(bool, False),

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🎉 Make social auth exceptions configurable #13596

Uh oh!

Uh oh!

🎉 Make social auth exceptions configurable #13596

Uh oh!

DryRun Security

Details

General Security Analyzer Findings: 1 detected

Re-running checks...

🎉 Make social auth exceptions configurable #13596

Uh oh!

udpate

Uh oh!

🎉 Make social auth exceptions configurable #13596

Uh oh!

DryRun Security

Details

General Security Analyzer Findings: 1 detected

Re-running checks...