auth: Actually check SASL identity argument before using it

Fixes GHSA-4g76-w3xw-2x6w.
foxcpp · Mar 13, 2023 · 9f58cb6 · 9f58cb6
1 parent ac4a75b
commit 9f58cb6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/internal/auth/sasl.go b/internal/auth/sasl.go
@@ -81,6 +81,9 @@ func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(i
 			if identity == "" {
 				identity = username
 			}
+			if identity != username {
+				return ErrInvalidAuthCred
+			}
 
 			err := s.AuthPlain(username, password)
 			if err != nil {

diff --git a/internal/auth/sasl_test.go b/internal/auth/sasl_test.go
@@ -75,13 +75,13 @@ func TestCreateSASL(t *testing.T) {
 
 	t.Run("PLAIN with authorization identity", func(t *testing.T) {
 		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(id string) error {
-			if id != "user1a" {
+			if id != "user1" {
 				t.Fatal("Wrong authorization identity passed:", id)
 			}
 			return nil
 		})
 
-		_, _, err := srv.Next([]byte("user1a\x00user1\x00aa"))
+		_, _, err := srv.Next([]byte("user1\x00user1\x00aa"))
 		if err != nil {
 			t.Error("Unexpected error:", err)
 		}