#36711: createsuperuser in non-interactive mode bypasses
AUTH_PASSWORD_VALIDATORS
----------------------------------------+---------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+---------------------------
'''Component:''' django.contrib.auth
== Description ==
The createsuperuser management command behaves inconsistently when running
in interactive mode versus non-interactive mode (--noinput).
'''Interactive Mode:''' When run interactively, the command correctly
prompts for a password and validates it against the
AUTH_PASSWORD_VALIDATORS defined in settings.py.
'''Non-Interactive Mode:''' When run with --noinput, the command pulls the
password from the DJANGO_SUPERUSER_PASSWORD environment variable. However,
it '''fails to run this password through the validators'''. It passes the
password directly to the create_superuser method.
This allows a weak, non-compliant password to be set in automated
environments (like CI/CD pipelines, Dockerfiles, or deployment scripts),
completely bypassing the project's configured password security policy.
== How to Reproduce ==
'''Configure Validators:''' In your project's settings.py, add a strict
password validator:
{{{#!python
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {
'min_length': 20, # Set a long minimum length
}
},
]
}}}
'''Apply Migrations:''' Ensure the database is set up.
{{{#!bash
python manage.py migrate
}}}
'''Test Interactive Mode (Works Correctly):'''
Run the command interactively and try to enter a short password.
{{{#!bash
$ python manage.py createsuperuser
Username: testuser
Email address: [email protected]
Password: 123
Password (again): 123
This password is too short. It must contain at least 20 characters.
Bypass password validation and create user anyway? [y/N]:
...
}}}
This fails as expected.
'''Test Non-Interactive Mode (The Bug):'''
Set the environment variable to the same short, invalid password and run
with --noinput.
{{{#!bash
export DJANGO_SUPERUSER_PASSWORD="123"
python manage.py createsuperuser --noinput --username admin --email
[email protected]
}}}
== Expected Result ==
The command should fail with a CommandError stating, "This password is too
short."
== Actual Result ==
The command succeeds, and the superuser is created with the non-compliant
password "123".
{{{
Superuser created successfully.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36711>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019a564c6d52-450d05ba-4743-45ab-ba2e-e699dc243ac4-000000%40eu-central-1.amazonses.com.
