Ignore attributes when they are not prefixed with user.attributes prefix (#23184)
Co-authored-by: mposolda <mposolda@gmail.com> Co-authored-by: stianst <stianst@gmail.com>
This commit is contained in:
parent
8effe31fdf
commit
5958c7948d
3 changed files with 68 additions and 1 deletions
49
docs/documentation/release_notes/topics/22_0_3.adoc
Normal file
49
docs/documentation/release_notes/topics/22_0_3.adoc
Normal file
|
@ -0,0 +1,49 @@
|
|||
= Security vulnerability when registering or updating user through templates
|
||||
|
||||
A security vulnerability was introduced in Keycloak 22.0.2. We highly recommend not upgrading to 22.0.2, and for anyone that has deployed 22.0.2 in production to upgrade to 22.0.3 immediately.
|
||||
|
||||
For users that has self-registered after Keycloak was upgraded to 22.0.2 their password is not stored securely, and can be exposed to administrators of Keycloak. This only affects users that has registered after the upgrade was rolled-out, and does not affect any previously registered users.
|
||||
|
||||
Any realm using the preview declarative user profile is not affected by this issue, and only realms using the default user profile provider is affected.
|
||||
|
||||
To identify if there are any affected users in your deployment you can query these by accessing the database, and running the following SQL statement:
|
||||
|
||||
[source,sql]
|
||||
----
|
||||
SELECT DISTINCT U.ID, U.USERNAME, U.EMAIL, U.REALM_ID FROM USER_ENTITY U
|
||||
INNER JOIN USER_ATTRIBUTE UA ON U.ID = UA.USER_ID
|
||||
WHERE UA.NAME IN ('password','password-confirm')
|
||||
----
|
||||
|
||||
We recommend contacting any affected users as well as adding the update password required action for them.
|
||||
|
||||
If there are any affected users we also recommend removing these attributes from the database by running the following SQL statement:
|
||||
|
||||
[source,sql]
|
||||
----
|
||||
DELETE FROM USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')
|
||||
----
|
||||
|
||||
If any backups have been done of the database after the 22.0.2 release and there are affected users, we recommend deleting these.
|
||||
|
||||
== Custom user storage providers
|
||||
|
||||
Any deployments with custom user storage federation providers may also be affected if the provider is delegating to Keycloak storing user attributes,
|
||||
please verify your custom user storage to identify if this is an issue.
|
||||
|
||||
To identify if there are any federated user affected in your deployment, you can query these by accessing the database, and running the following SQL statement:
|
||||
|
||||
[source,sql]
|
||||
----
|
||||
SELECT DISTINCT USER_ID,REALM_ID,STORAGE_PROVIDER_ID FROM FED_USER_ATTRIBUTE
|
||||
WHERE NAME IN ('password','password-confirm')
|
||||
----
|
||||
|
||||
If there are any affected federated users, we also recommend removing these attributes from the database by running the following SQL statement:
|
||||
|
||||
[source,sql]
|
||||
----
|
||||
DELETE FROM FED_USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')
|
||||
----
|
||||
|
||||
If your custom user storage provider is managing attributes itself, you should look at your custom storage to remove the `password` and `password-confirm` attributes.
|
|
@ -5,6 +5,7 @@ import java.util.HashMap;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
|
@ -23,9 +24,21 @@ public class LegacyAttributes extends DefaultAttributes {
|
|||
|
||||
@Override
|
||||
protected boolean isSupportedAttribute(String name) {
|
||||
if (UserProfileContext.USER_API.equals(context) || UserProfileContext.ACCOUNT.equals(context)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (super.isSupportedAttribute(name)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (name.startsWith(Constants.USER_ATTRIBUTES_PREFIX)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isReadOnly(String name) {
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
|
|
|
@ -65,6 +65,7 @@ import static org.hamcrest.Matchers.containsString;
|
|||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.CoreMatchers.notNullValue;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
|
@ -373,6 +374,10 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
String userId = events.expectRegister(username, "registerUserSuccess@email").assertEvent().getUserId();
|
||||
assertUserRegistered(userId, username.toLowerCase(), "registerusersuccess@email");
|
||||
|
||||
UserRepresentation user = getUser(userId);
|
||||
|
||||
assertNull(user.getAttributes());
|
||||
}
|
||||
|
||||
private void assertUserRegistered(String userId, String username, String email) {
|
||||
|
|
Loading…
Reference in a new issue