chore: disallow password resets to unverified email #18088
Conversation
Only allow account resets to verified email addresses to prevent account domain resurrection attacks. Signed-off-by: Mike Fiedler <[email protected]>
If the user account exists for a given email address, check if the account is verified. If it's not, reject with a flash message. Signed-off-by: Mike Fiedler <[email protected]>
Signed-off-by: Mike Fiedler <[email protected]>
miketheman
added
security
|
|
| if unverified_email := first_true( | ||
| user.emails, | ||
| pred=lambda e: e.email == form.username_or_email.data, | ||
| ): |
There was a problem hiding this comment.
This conditional doesn't work when attempting to request password reset by username: verified_email becomes None, but this query is searching for an email that matches the username, not the email address, so it will never succeed.
I'm surprised the tests & coverage are OK with this? Something is falling between the cracks here.
| request.session.flash( | ||
| request._( | ||
| "Email address '${email}' is not verified. " | ||
| "Contact PyPI support for assistance.", | ||
| mapping={"email": unverified_email.email}, | ||
| ), | ||
| queue="error", | ||
| ) |
There was a problem hiding this comment.
I'm also slightly concerned that this will become an oracle. I think instead, if we get a password reset for an unverified email, we should just send that address an email "Password reset requested but this email address is currently unverified" and just display the same ambiguous message here instead.
There was a problem hiding this comment.
Can you help me understand the threat vector this kind of oracle would provide?
It'll confirm the existence of an email address that isn't able to be used without an account recovery via support. It does not expose who the email address is associated with.
I'm generally okay to consider another email template to send to unverified email addresses, but that has the downside of us trying to email places that have already had either a hard bounce, expiration, or some other reason that the address is unverified, and could affect our sender scores.
Only allow account resets to verified email addresses to prevent account
domain resurrection attacks.
If the user account exists for a given email address, check if the
account is verified. If it's not, reject with a flash message.
Does not disclose the name of a given user account, logs an event/warning for inspection.