Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Storage label allows '.' from oidc #3346

Closed
2 of 3 tasks
pixil98 opened this issue Jul 20, 2023 · 2 comments · Fixed by #5717
Closed
2 of 3 tasks

[BUG] Storage label allows '.' from oidc #3346

pixil98 opened this issue Jul 20, 2023 · 2 comments · Fixed by #5717
Labels
bug Something isn't working good first issue Good for newcomers 🗄️server

Comments

@pixil98
Copy link

pixil98 commented Jul 20, 2023

The bug

When using the new functionality to set a storage label from a claim when using oauth, the claim seems to be taken without sanitation. In my setup the preferred_username is an email address so it has a . in it.

image

If I try to set the same storage label manually, the . is stripped out when it is saved. I assume it's stripped out for a reason, but either way it would be good to be consistent.

The OS that Immich Server is running on

Debian

Version of Immich Server

v1.68.0

Version of Immich Mobile App

N/A

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

apiVersion: apps/v1
kind: Deployment
metadata:
  name: authentik-server
  namespace: auth
  labels:
    app.kubernetes.io/name: server
    app.kubernetes.io/instance: authentik
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/instance: authentik
  template:
    metadata:
      labels:
        app.kubernetes.io/name: server
        app.kubernetes.io/instance: authentik
    spec:
      containers:
        - name: authentik
          image: goauthentik/server:2023.6.1
          imagePullPolicy: IfNotPresent
          args: ["server"]
          env:
            - name: AUTHENTIK_AVATARS
              value: "gravatar"
            - name: AUTHENTIK_BOOTSTRAP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: bootstrap-password
                  optional: false
            - name: AUTHENTIK_BOOTSTRAP_TOKEN
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: bootstrap-token
                  optional: false
            - name: AUTHENTIK_BOOTSTRAP_EMAIL
              value: "redacted"
            - name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
              value: "false"
            - name: AUTHENTIK_EMAIL__FROM
              value: "redacted"
            - name: AUTHENTIK_EMAIL__HOST
              value: "redacted
            - name: AUTHENTIK_EMAIL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: email-password
                  optional: false
            - name: AUTHENTIK_EMAIL__PORT
              value: "587"
            - name: AUTHENTIK_EMAIL__TIMEOUT
              value: "30"
            - name: AUTHENTIK_EMAIL__USE_SSL
              value: "false"
            - name: AUTHENTIK_EMAIL__USE_TLS
              value: "true"
            - name: AUTHENTIK_EMAIL__USERNAME
              value: "authentik"
            - name: AUTHENTIK_ERROR_REPORTING__ENABLED
              value: "false"
            - name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
              value: "k8s"
            - name: AUTHENTIK_ERROR_REPORTING__SEND_PII
              value: "false"
            - name: AUTHENTIK_GEOIP
              value: "/geoip/GeoLite2-City.mmdb"
            - name: AUTHENTIK_LOG_LEVEL
              value: "info"
            - name: AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE
              value: "goauthentik/%(type)s:%(version)s"
            - name: AUTHENTIK_POSTGRESQL__HOST
              value: "authentik-postgresql"
            - name: AUTHENTIK_POSTGRESQL__NAME
              value: "authentik"
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: postgresql-user-password
                  optional: false
            - name: AUTHENTIK_POSTGRESQL__PORT
              value: "5432"
            - name: AUTHENTIK_POSTGRESQL__USER
              value: "authentik"
            - name: AUTHENTIK_REDIS__HOST
              value: "authentik-redis-master"
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: redis-password
                  optional: false
            - name: AUTHENTIK_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: secret-key
                  optional: false
          ports:
            - name: http
              containerPort: 9000
              protocol: TCP
            - name: http-metrics
              containerPort: 9300
              protocol: TCP
            - name: https
              containerPort: 9443
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /-/health/live/
              port: http
            initialDelaySeconds: 50
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /-/health/ready/
              port: http
            initialDelaySeconds: 50
            periodSeconds: 10

Your .env content

See above

Reproduction steps

1.Setup an oidc provider
2.Setup Immich to use the oidc provider
3.Create a user with a username that is an email address
4.Login to Immich with the new user.

Additional information

No response
@pixil98 pixil98 added bug Something isn't working needs triage Bug that needs triage from maintainer labels Jul 20, 2023
@alextran1502 alextran1502 added 🗄️server and removed needs triage Bug that needs triage from maintainer labels Aug 1, 2023
@jrasm91 jrasm91 added the good first issue Good for newcomers label Aug 15, 2023
@serfriz
Copy link

serfriz commented Nov 5, 2023

Is there a reason why the dots . need to be stripped out of the storage labels? It would be nice to be able to have labels like firstname.lastname.

@alextran1502
Copy link
Contributor

It is stripped out to prevent path traversal attack I believe

JW-CH added a commit to JW-CH/immich that referenced this issue Dec 14, 2023
@JW-CH
immich-app#3346 sanitize storagelabel when creating a user, web user-…
5f26afc 
…management page phone-view same as desktop
JW-CH added a commit to JW-CH/immich that referenced this issue Dec 14, 2023
@JW-CH
immich-app#3346 sanitize storagelabel when creating a user, web user-…
0ca55cb 
…management page phone-view same as desktop
JW-CH added a commit to JW-CH/immich that referenced this issue Dec 15, 2023
@JW-CH
sanitize storagelabel when creating a user immich-app#3346
0fd3140
@jrasm91 jrasm91 mentioned this issue Jan 1, 2024
Merged
jrasm91 pushed a commit that referenced this issue Jan 1, 2024
@JW-CH
fix(server): sanitize storagelabel when creating a user #3346 (#5717)
7dd88c4 
* sanitize storagelabel when creating a user #3346

* code formatting
martabal pushed a commit that referenced this issue Jan 9, 2024
@JW-CH @martabal
fix(server): sanitize storagelabel when creating a user #3346 (#5717)
b3f7ca8 
* sanitize storagelabel when creating a user #3346

* code formatting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers 🗄️server
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sanitize storagelabel when creating a user #3346 JW-CH/immich
4 participants
@jrasm91 @alextran1502 @serfriz @pixil98