Description
Expected behaviour
GitHub Advisory CVE-2024-32879 provides details of an exploit on case-insensitive checks on uid in the table social_auth_association. The workaround proposed is to alter the collation type to utf8_bin.
The issue here is that the advisory incorrectly references the table social_auth_association.
Recommended fix for the advisory
The actual exploit for uid exists in the table social_auth_usersocialauth. There is no uid parameter in any other table referenced in the social-app-django project.
So the recommended workaround in CVE-2024-32879 needs to be updated from
ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`; //Incorrect 'social_auth_association'
to
ALTER TABLE `social_auth_usersocialauth` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;
What are the steps to reproduce this issue?
No repro required. You can check the schema of the tables in social-app-django/social_django/migrations/0001_initial.py which has the potentially exploitable uid parameter
migrations.CreateModel(
name="UserSocialAuth",
fields=[
(
"id",
models.AutoField(
verbose_name="ID",
serialize=False,
auto_created=True,
primary_key=True,
),
),
("provider", models.CharField(max_length=32)),
("uid", models.CharField(max_length=UID_LENGTH)), //<------------------ Exploitable uid
("extra_data", JSONField(default="{}")),
(
"user",
models.ForeignKey(
related_name="social_auth",
to=USER_MODEL,
on_delete=models.CASCADE,
),
),
],
options={
"db_table": "social_auth_usersocialauth", //<------------------ This is the table
},
bases=(models.Model, DjangoUserMixin),
),
Any logs, error output, etc?
Attempting to apply the workaround mentioned in the exploit fails.
ALTER TABLE "social_auth_association" ALTER COLUMN "uid" TYPE varchar(255) COLLATE "utf8_bin";
ERROR: column "uid" of relation "social_auth_association" does not exist
Any other comments?
Recommended action - No change required in Codebase. #566 is sufficient. Only the workaround in the advisory needs to be updated to reflect the correct table.