Skip to content

Password Reset: Disable for SSO users #13079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2025
Merged

Password Reset: Disable for SSO users #13079

merged 1 commit into from
Sep 2, 2025

Conversation

Maffooch
Copy link
Contributor

It is possible to set password reset for users that were authorized through SSO mechanisms. This has potential to lock a user into a flow of not being able to reset a password that does not exist

@Maffooch Maffooch requested a review from mtesauro as a code owner August 29, 2025 18:53
@github-actions github-actions bot added the apiv2 label Aug 29, 2025
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security

This pull request contains two information disclosure vulnerabilities related to revealing SSO authentication details in error messages and help text, which could potentially provide attackers with insights into user authentication methods.

Information Disclosure in dojo/api_v2/serializers.py
Vulnerability Information Disclosure
Description The UserContactInfoSerializer in dojo/api_v2/serializers.py generates a specific validation error message, 'Password resets are not allowed for users authorized through SSO.', when a password reset is attempted for a user authenticated via SSO. This non-generic error message reveals an internal implementation detail (the user's authentication method), which can be leveraged by an attacker.

django-DefectDojo/dojo/api_v2/serializers.py

Lines 614 to 626 in 60d268f

model = UserContactInfo
fields = "__all__"
def validate(self, data):
user = data.get("user", None) or self.instance.user
if data.get("force_password_reset", False) and not user.has_usable_password():
msg = "Password resets are not allowed for users authorized through SSO."
raise ValidationError(msg)
return super().validate(data)
class UserStubSerializer(serializers.ModelSerializer):
class Meta:

Information Disclosure in dojo/forms.py
Vulnerability Information Disclosure
Description The UserContactInfoForm displays a help text message indicating if a user is authorized through SSO. This information is disclosed to any user with auth.change_user permission when they access the edit_user page for another user. While this permission is typically for administrators, the authentication method of a user can be considered sensitive information that should not be unnecessarily exposed.

django-DefectDojo/dojo/forms.py

Lines 2392 to 2405 in 60d268f

exclude = ["user", "slack_user_id"]
def __init__(self, *args, **kwargs):
user = kwargs.pop("user", None)
super().__init__(*args, **kwargs)
# Do not expose force password reset if the current user does not have a password to reset
if user is not None:
if not user.has_usable_password():
self.fields["force_password_reset"].disabled = True
self.fields["force_password_reset"].help_text = "This user is authorized through SSO, and does not have a password to reset"
# Determine some other settings based on the current user
current_user = get_current_user()
if not current_user.is_superuser:
if not user_has_configuration_permission(current_user, "auth.change_user") and \

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.50.0 milestone Aug 30, 2025
mtesauro
mtesauro approved these changes Sep 1, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten modified the milestones: 2.50.0, 2.51.0, 2.50.1 Sep 2, 2025
@valentijnscholten valentijnscholten merged commit a653695 into bugfix Sep 2, 2025
87 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@dogboat dogboat dogboat approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
apiv2
Projects
None yet
Milestone
2.50.1
Development

Successfully merging this pull request may close these issues.
5 participants
@Maffooch @mtesauro @valentijnscholten @dogboat @blakeaowens