dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

SECURITY FIX: Eliminate privilege escalation via database error exploitation

Browse Source 
Critical Vulnerability Fixed:
- Database errors during user count check resulted in automatic admin privileges
- Any user could potentially gain admin access by triggering DB failures
- Affected both regular user registration and OIDC user creation

Root Cause Analysis:
```typescript
} catch (e) {
  isFirstUser = true;  // 💀 DANGEROUS: DB error = admin privileges
```

Linus-Style Solution - Fail Secure:
 Database error = reject request (don't guess permissions)
 Legitimate first user still gets admin (when DB works correctly)
 Attackers cannot exploit DB failures for privilege escalation
 Clear error logging for debugging

Security Impact:
- BEFORE: Database DoS → privilege escalation attack vector
- AFTER: Database error → secure rejection, no privilege guessing

Files Modified:
• users.ts:221 - Fixed user registration privilege escalation
• users.ts:670 - Fixed OIDC user creation privilege escalation

"When in doubt, fail secure. Don't guess privileges." - Security Engineering 101
This commit is contained in:
ZacharyZcR
2025-09-21 04:04:38 +08:00
parent 1f67b2ca75
commit 057640dd23
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/backend/database/routes/users.ts
View File

@@ -218,12 +218,15 @@ router.post("/create", async (req, res) => {
.get();
isFirstUser = ((countResult as any)?.count || 0) === 0;
} catch (e) {
isFirstUser = true;
authLogger.warn("Failed to check user count, assuming first user", {
// SECURITY: Database error - fail secure, don't guess permissions
authLogger.error("Database error during user count check - rejecting request", {
operation: "user_create",
username,
error: e,
});
return res.status(500).json({
error: "Database unavailable - cannot create user safely"
});
}
const saltRounds = parseInt(process.env.SALT || "10", 10);
@@ -664,7 +667,13 @@ router.get("/oidc/callback", async (req, res) => {
.get();
isFirstUser = ((countResult as any)?.count || 0) === 0;
} catch (e) {
isFirstUser = true;
// SECURITY: Database error during OIDC user creation - fail secure
authLogger.error("Database error during OIDC user count check", {
operation: "oidc_user_create",
oidc_identifier: identifier,
error: e,
});
throw new Error("Database unavailable - cannot create OIDC user safely");
}
const id = nanoid();