Merge pull request #4797 from stianst/KEYCLOAK-5734

KEYCLOAK-5734
2017-12-05 17:31:36 -05:00 · 2017-12-05 17:31:36 -05:00 · f669fdf0df
commit f669fdf0df
parent 30ad2899b8 94ce97b972
3 changed files with 23 additions and 0 deletions
--- a/server-spi-private/src/main/java/org/keycloak/authentication/ValidationContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/ValidationContext.java
@ -45,4 +45,11 @@ public interface ValidationContext extends FormContext {
     *
     */
    void success();
+
+    /**
+     * The error messages of this current validation will take precedence over any others. Other error messages will not
+     * be shown. This is useful to prevent validation from leaking to an attacker. For example, the recaptcha validator
+     * calls this method so that usernames cannot be phished
+     */
+    void excludeOtherErrors();
 }
--- a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java
+++ b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java
@ -138,6 +138,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
    private class ValidationContextImpl extends FormContextImpl implements ValidationContext {
        FormAction action;
        String error;
+        boolean excludeOthers;

        private ValidationContextImpl(AuthenticationExecutionModel executionModel, FormAction action) {
            super(executionModel);
@ -161,6 +162,11 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
        public void success() {
           success = true;
        }
+
+        @Override
+        public void excludeOtherErrors() {
+            excludeOthers = true;
+        }
    }

    @Override
@ -222,8 +228,17 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
            for (ValidationContextImpl v : errors) {
                for (FormMessage m : v.errors) {
                    if (!fields.contains(m.getField())) {
+                        if (v.excludeOthers) {
+                            fields.clear();
+                            messages.clear();
+                        }
+
                        fields.add(m.getField());
                        messages.add(m);
+
+                        if (v.excludeOthers) {
+                            break;
+                        }
                    }
                }
            }
--- a/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java
+++ b/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java
@ -127,6 +127,7 @@ public class RegistrationRecaptcha implements FormAction, FormActionFactory, Con
            formData.remove(G_RECAPTCHA_RESPONSE);
            context.error(Errors.INVALID_REGISTRATION);
            context.validationError(formData, errors);
+            context.excludeOtherErrors();
            return;