codeant-ai-for-open-source[bot] commented on code in PR #39469:
URL: https://github.com/apache/superset/pull/39469#discussion_r3534298710


##########
superset/security/manager.py:
##########
@@ -4543,6 +4560,39 @@ def is_admin(self) -> bool:
             role.name for role in self.get_user_roles()
         ]
 
+    def auth_user_db(self, username: str, password: str) -> User | None:
+        """
+        Authenticate a database user, verifying bcrypt/argon2 and legacy 
hashes.
+        """
+        if username is None or username == "":
+            return None
+        first_user = self.get_first_user()
+        user = self.find_user(username=username)
+        if user is None:
+            user = self.find_user(email=username)
+        else:
+            # Balance failure and success
+            _ = self.find_user(email=username)
+        if user is None or (not user.is_active):
+            # Balance failure and success
+            check_password_hash(
+                current_app.config.get(
+                    "AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
+                    DEFAULT_AUTH_DB_FAKE_PASSWORD_HASH_CHECK,
+                ),
+                "password",
+            )

Review Comment:
   **Suggestion:** The failed-login balancing path always runs 
`check_password_hash` against a fixed PBKDF2 hash and a constant plaintext 
(`"password"`), while real users are now verified with bcrypt/argon2 in 
`verify_auth_db_password`. This creates measurable timing differences between 
nonexistent/inactive accounts and real accounts, enabling username enumeration. 
Use a fake verification path that matches the active AUTH_DB hash family and 
uses the candidate password input so failure timing remains consistent. 
[security]
   
   <details>
   <summary><b>Severity Level:</b> Critical 🚨</summary>
   
   ```mdx
   - ❌ AUTH_DB login allows username enumeration via timing differences.
   - ⚠️ Attacker can target valid users for credential stuffing.
   ```
   </details>
   <details>
   <summary><b>Steps of Reproduction ✅ </b></summary>
   
   ```mdx
   1. Create or reuse an AUTH_DB user (for example `alice`) so `user.password` 
stores a
   bcrypt or argon2 hash via `hash_auth_db_password` in
   `superset/utils/auth_db_password_hash.py:50-69`.
   
   2. From a Python shell or test, call 
`SupersetSecurityManager.auth_user_db("no-such-user",
   "candidate-password")` with a username that does not exist; in `auth_user_db`
   (superset/security/manager.py:4563-4576) `user` is `None`, so the 
missing-user branch at
   4576-4584 executes
   
`check_password_hash(current_app.config.get("AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
   DEFAULT_AUTH_DB_FAKE_PASSWORD_HASH_CHECK), "password")` against a fixed 
PBKDF2 hash and
   constant plaintext.
   
   3. Call `SupersetSecurityManager.auth_user_db("alice", "wrong-password")` 
for an existing
   active user; in `auth_user_db` the user is found and the success/failure 
path at 4589-4594
   invokes `verify_auth_db_password(user.password, password)`, which for bcrypt 
hashes goes
   through the bcrypt branch in `verify_auth_db_password`
   (superset/utils/auth_db_password_hash.py:81-93) and performs a full bcrypt 
or argon2
   verification.
   
   4. Instrument these two calls (for example using `time.perf_counter`) or 
exercise them via
   the AUTH_DB `/login` flow (implemented by Flask-AppBuilder calling 
`auth_user_db`) and
   observe that the nonexistent-user path (step 2, PBKDF2 fake check with 
constant
   `"password"`) has a measurably different runtime than the real-user path 
(step 3,
   bcrypt/argon2 verification), enabling remote username enumeration based 
solely on response
   timing.
   ```
   </details>
   
   [![Fix in 
Cursor](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-cursor-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=857170a382854c1e9090c87a20579fb3&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
 [![Fix in VSCode 
Claude](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-vscode-claude-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=857170a382854c1e9090c87a20579fb3&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
   
   *(Use Cmd/Ctrl + Click for best experience)*
   <details>
   <summary><b>Prompt for AI Agent 🤖 </b></summary>
   
   ```mdx
   This is a comment left during a code review.
   
   **Path:** superset/security/manager.py
   **Line:** 4578:4584
   **Comment:**
        *Security: The failed-login balancing path always runs 
`check_password_hash` against a fixed PBKDF2 hash and a constant plaintext 
(`"password"`), while real users are now verified with bcrypt/argon2 in 
`verify_auth_db_password`. This creates measurable timing differences between 
nonexistent/inactive accounts and real accounts, enabling username enumeration. 
Use a fake verification path that matches the active AUTH_DB hash family and 
uses the candidate password input so failure timing remains consistent.
   
   Validate the correctness of the flagged issue. If correct, How can I resolve 
this? If you propose a fix, implement it and please make it concise.
   Once fix is implemented, also check other comments on the same PR, and ask 
user if the user wants to fix the rest of the comments as well. if said yes, 
then fetch all the comments validate the correctness and implement a minimal fix
   ```
   </details>
   <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F39469&comment_hash=04b794ae5cec28f24082bde8984d2f0058a705530d3587fb6631ad80bbf786ec&reaction=like'>👍</a>
 | <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F39469&comment_hash=04b794ae5cec28f24082bde8984d2f0058a705530d3587fb6631ad80bbf786ec&reaction=dislike'>👎</a>



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to