social-core
social-core copied to clipboard
python-social-auth
fix: SteamOpenId does not validate identity url
Proposed changes
The implementation of SteamOpenId does not validate identity URL and could be impersonated by attackers.
Types of changes
Please check the type of change your PR introduces:
- [ ] Release (new release request)
- [x] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Code style update (PEP8, lint, formatting, renaming, etc)
- [ ] Refactoring (no functional changes, no api changes)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Build related changes (build process, tests runner, etc)
- [ ] Other (please describe):
Checklist
Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.
- [ ] Lint and unit tests pass locally with my changes
- [ ] I have added tests that prove my fix is effective or that my feature works
Other information
Any other information that is important to this PR such as screenshots of how the component looks before and after the change.
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 77.84%. Comparing base (
cf95380) to head (41b05c3). Report is 66 commits behind head on master.
:exclamation: Current head 41b05c3 differs from pull request most recent head 5a7ae95. Consider uploading reports for the commit 5a7ae95 to get more accurate results
Additional details and impacted files
@@ Coverage Diff @@
## master #807 +/- ##
==========================================
+ Coverage 77.80% 77.84% +0.03%
==========================================
Files 330 330
Lines 10097 10105 +8
Branches 1195 1198 +3
==========================================
+ Hits 7856 7866 +10
+ Misses 2087 2086 -1
+ Partials 154 153 -1
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 77.84% <100.00%> (+0.03%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Anyone tried my suggestion in https://github.com/python-social-auth/social-core/issues/538#issuecomment-787514783 instead? This patch IMHO doesn't address https://github.com/python-social-auth/social-core/issues/538 at all.
The Steam openId login can still be stateless. Also I don't see how adding stores in https://github.com/python-social-auth/social-core/issues/538#issuecomment-787514783 address the problem, since it doesn't validate the op_endpoint/claim_id from the response still. Could you explain more about your fix?
If I understood https://github.com/python-social-auth/social-core/issues/538 correctly, the identify URL can be spoofed by third-party server. Restricting it to spoofing valid URL doesn't IMHO address the issue. What we really need is validating that the assertion is coming from the correct server, and keeping state should ensure that. (I might be wrong, my OpenID knowledge is very limited)
Merged as this does not harm, but I'm still not convinced this really addresses the original issue.