Hardening login: https://github.com/bpatrik/pigallery2/security/advisories/GHSA-7mhm-5pj7-qpx7

bpatrik · bpatrik · commit bf910bed37c4 · 2026-05-30T22:57:26.000+02:00
diff --git a/src/backend/middlewares/user/AuthenticationMWs.ts b/src/backend/middlewares/user/AuthenticationMWs.ts
@@ -249,8 +249,10 @@ export class AuthenticationMWs {
     if (
       typeof req.body === 'undefined' ||
       typeof req.body.loginCredential === 'undefined' ||
-      typeof req.body.loginCredential.username === 'undefined' ||
-      typeof req.body.loginCredential.password === 'undefined'
+      typeof req.body.loginCredential.username !== 'string' ||
+      typeof req.body.loginCredential.password !== 'string' ||
+      req.body.loginCredential.username.length === 0 ||
+      req.body.loginCredential.password.length === 0
     ) {
       Logger.warn(LOG_TAG, 'Failed login from IP `' + req.ip + '` no user or password provided');
       return next(
diff --git a/src/backend/model/database/UserManager.ts b/src/backend/model/database/UserManager.ts
@@ -12,11 +12,12 @@ export class UserManager {
 
   public async findOne(filter: FindOptionsWhere<UserEntity>): Promise<UserEntity> {
     const connection = await SQLConnection.getConnection();
+    const verifyPassword = typeof filter.password == 'string';
     const pass = filter.password as string;
     delete filter.password;
     const user = await connection.getRepository(UserEntity).findOneBy(filter);
 
-    if (pass && !PasswordHelper.comparePassword(pass, user.password)) {
+    if (verifyPassword && !PasswordHelper.comparePassword(pass, user.password)) {
       throw new Error('No entry found');
     }
     return user;
