diff options
author | Christopher Speller <crspeller@gmail.com> | 2018-06-04 09:48:26 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-06-04 09:48:26 -0700 |
commit | 2c75247c97d0277944975deb9595b5f82a80e91e (patch) | |
tree | bd2bf76858fa308fc72b7f48860e6c291622149f | |
parent | bd7c9f86424a8d6609ad602e2225c4438d136415 (diff) | |
download | chat-2c75247c97d0277944975deb9595b5f82a80e91e.tar.gz chat-2c75247c97d0277944975deb9595b5f82a80e91e.tar.bz2 chat-2c75247c97d0277944975deb9595b5f82a80e91e.zip |
MM-10348 Adding experimental hardened mode. (#8881)
* Adding experimental hardened mode.
* Sanitizing all 500 errors.
-rw-r--r-- | api4/user.go | 21 | ||||
-rw-r--r-- | config/default.json | 3 | ||||
-rw-r--r-- | model/config.go | 5 | ||||
-rw-r--r-- | web/handlers.go | 10 |
4 files changed, 32 insertions, 7 deletions
diff --git a/api4/user.go b/api4/user.go index ea90d2127..2292544c4 100644 --- a/api4/user.go +++ b/api4/user.go @@ -784,7 +784,9 @@ func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { return } - if user, err := c.App.GetUserForLogin("", loginId); err == nil { + if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode { + resp["mfa_required"] = true + } else if user, err := c.App.GetUserForLogin("", loginId); err == nil { resp["mfa_required"] = user.MfaActive } @@ -936,7 +938,11 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { } if sent, err := c.App.SendPasswordReset(email, c.App.GetSiteURL()); err != nil { - c.Err = err + if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode { + ReturnStatusOK(w) + } else { + c.Err = err + } return } else if sent { c.LogAudit("sent=" + email) @@ -946,6 +952,13 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { } func login(c *Context, w http.ResponseWriter, r *http.Request) { + // For hardened mode, translate all login errors to generic. + defer func() { + if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode && c.Err != nil { + c.Err = model.NewAppError("login", "api.user.login.invalid_credentials", nil, "", http.StatusUnauthorized) + } + }() + props := model.MapFromJson(r.Body) id := props["id"] @@ -982,11 +995,7 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) { } func logout(c *Context, w http.ResponseWriter, r *http.Request) { - data := make(map[string]string) - data["user_id"] = c.Session.UserId - Logout(c, w, r) - } func Logout(c *Context, w http.ResponseWriter, r *http.Request) { diff --git a/config/default.json b/config/default.json index 9f35ad7d1..67c1220bb 100644 --- a/config/default.json +++ b/config/default.json @@ -63,7 +63,8 @@ "ImageProxyType": "", "ImageProxyOptions": "", "ImageProxyURL": "", - "EnableAPITeamDeletion": false + "EnableAPITeamDeletion": false, + "ExperimentalEnableHardenedMode": false }, "TeamSettings": { "SiteName": "Mattermost", diff --git a/model/config.go b/model/config.go index 074632a67..ebd90a372 100644 --- a/model/config.go +++ b/model/config.go @@ -226,6 +226,7 @@ type ServiceSettings struct { ImageProxyURL *string ImageProxyOptions *string EnableAPITeamDeletion *bool + ExperimentalEnableHardenedMode *bool } func (s *ServiceSettings) SetDefaults() { @@ -458,6 +459,10 @@ func (s *ServiceSettings) SetDefaults() { if s.EnableAPITeamDeletion == nil { s.EnableAPITeamDeletion = NewBool(false) } + + if s.ExperimentalEnableHardenedMode == nil { + s.ExperimentalEnableHardenedMode = NewBool(false) + } } type ClusterSettings struct { diff --git a/web/handlers.go b/web/handlers.go index 363b05c59..aac88aa3a 100644 --- a/web/handlers.go +++ b/web/handlers.go @@ -147,6 +147,16 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { c.Err.DetailedError = "" } + // Sanitize all 5xx error messages in hardened mode + if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode && c.Err.StatusCode >= 500 { + c.Err.Id = "" + c.Err.Message = "Internal Server Error" + c.Err.DetailedError = "" + c.Err.StatusCode = 500 + c.Err.Where = "" + c.Err.IsOAuth = false + } + w.WriteHeader(c.Err.StatusCode) w.Write([]byte(c.Err.ToJson())) |