User model login endpoint: security issue with possible query injection

[gabjauf]

Hello Loopback!

I found some kind of vulnerability on POST /Users/login route from the default User model:

Description/Steps to reproduce

Send the following to /Users/login as credentials

{
	"email": {"neq": "foo" },
	"password": "anything you want"
}

When inspecting the resulting user here

loopback/common/models/user.js

Line 254 in 4b3a3a3

, this results in the first user in the database being returned, which means we now only need to find the password.

Found in loopback v3.25.1

Expected result

We would expect the email to be forced as a string.

Feel free to reach me if my description is unclear 😄

[gabjauf]

We may also use the "regexp" functionality to test multiple users without having to know their exact email:

{
	"email": {"regexp": "^a" },
	"password": "anything you want"
}

[hacksparrow]

@gabjauf I tried both the payloads, I am getting 401. Can you elaborate the steps?

[hacksparrow]

Oh, I got what you mean. Taking a look. Thanks for reporting.

[fabien]

@hacksparrow I was seeing a 401 as well - could you elaborate on 'I got what you mean'?

[bajtos]

The fix has been published last week in loopback@3.26.0.

[gabjauf]

Great works guys, thanks 👍