Authentication errors: try to avoid user enumeration

Fixes #395
2025-12-07 23:00:55 +03:00 · 2021-04-26 19:48:21 +02:00
parent 7778716fa7
commit 1275328fdf
7 changed files with 59 additions and 17 deletions
--- a/ftpd/ftpd_test.go
+++ b/ftpd/ftpd_test.go
@@ -562,13 +562,21 @@ func TestBasicFTPHandling(t *testing.T) {
 	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond)
 }

-func TestLoginInvalidPwd(t *testing.T) {
+func TestLoginInvalidCredetials(t *testing.T) {
 	u := getTestUser()
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	user.Password = "wrong"
+	user.Username = "wrong username"
 	_, err = getFTPClient(user, false, nil)
-	assert.Error(t, err)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), dataprovider.ErrInvalidCredentials.Error())
+	}
+	user.Username = u.Username
+	user.Password = "wrong pwd"
+	_, err = getFTPClient(user, false, nil)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), dataprovider.ErrInvalidCredentials.Error())
+	}
 	_, err = httpdtest.RemoveUser(user, http.StatusOK)
 	assert.NoError(t, err)
 }