From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 12 Jul 2023 15:31:00 +0300 Subject: [PATCH] CVE-2023-3128 --- pkg/api/login_oauth.go | 17 +++++++++-------- pkg/setting/setting.go | 5 ++++- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go index b422baf..f124252 100644 --- a/pkg/api/login_oauth.go +++ b/pkg/api/login_oauth.go @@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser( connect social.SocialConnector, ) (*models.User, error) { oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile") + lookupParams := models.UserLookupParams{} + if hs.Cfg.OAuthAllowInsecureEmailLookup { + lookupParams.Email = &extUser.Email + } + // add/update user in Grafana cmd := &models.UpsertUserCommand{ - ReqContext: ctx, - ExternalUser: extUser, - SignupAllowed: connect.IsSignupAllowed(), - UserLookupParams: models.UserLookupParams{ - Email: &extUser.Email, - UserID: nil, - Login: nil, - }, + ReqContext: ctx, + ExternalUser: extUser, + SignupAllowed: connect.IsSignupAllowed(), + UserLookupParams: lookupParams, } if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil { diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index ba2c4bb..6b5c948 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -312,7 +312,8 @@ type Cfg struct { AuthProxySyncTTL int // OAuth - OAuthCookieMaxAge int + OAuthCookieMaxAge int + OAuthAllowInsecureEmailLookup bool // JWT Auth JWTAuthEnabled bool @@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) { return err } + cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false) + const defaultMaxLifetime = "30d" maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime) cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)