Fix: Prevent allauth from sending emails to unknown accounts during password reset #5212
Conversation
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
…counts Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com>
Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com>
Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com>
Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com>
|
@copilot I mesn the allauth emails thst are sent when an emsil doesnt exist |
…N_ACCOUNTS = False) Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com>
You're absolutely right! I investigated and found that django-allauth 65.x introduced the Fixed in commit 98b1846 by setting The tests now verify that NO emails are sent to unknown accounts, preventing account enumeration attacks. |
|
This PR adds the following new .md file(s):
Please remove these markdown files from the PR. If you believe this file is necessary, please create an issue to discuss it with the maintainers before adding it. Thank you for your contribution! 🙏 |
github-actions
bot
added
files-changed: 3
github-actions
bot
added
pre-commit: passed
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| # Security: Do not send emails to unknown accounts during password reset | ||
| # This prevents account enumeration attacks | ||
| ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False |
There was a problem hiding this comment.
Bug: The ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False setting likely inverts the intended security behavior, potentially enabling user enumeration.
Severity: HIGH | Confidence: Medium
🔍 Detailed Analysis
The ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False setting, as introduced in blt/settings.py, appears to be incorrectly configured. According to standard django-allauth documentation, setting this to True (the default) is what prevents user enumeration by sending dummy emails to unknown accounts. Setting it to False would likely enable the vulnerability, allowing attackers to determine valid user accounts. The PR's own documentation snippet also suggests that False would prevent sending any mail, which contradicts the goal of preventing enumeration via dummy emails. The existing tests do not adequately validate that this setting controls the behavior, leading to a false sense of security.
💡 Suggested Fix
Verify the ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS setting against django-allauth 65.13.1's actual source code or official documentation. Confirm if the value should be True (not False) to prevent user enumeration, and ensure the setting name is correct.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: blt/settings.py#L348-L350
Potential issue: The `ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False` setting, as introduced in
`blt/settings.py`, appears to be incorrectly configured. According to standard
`django-allauth` documentation, setting this to `True` (the default) is what prevents
user enumeration by sending dummy emails to unknown accounts. Setting it to `False`
would likely enable the vulnerability, allowing attackers to determine valid user
accounts. The PR's own documentation snippet also suggests that `False` would prevent
sending any mail, which contradicts the goal of preventing enumeration via dummy emails.
The existing tests do not adequately validate that this setting controls the behavior,
leading to a false sense of security.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 6368094
|
👋 Hi @Copilot! This pull request needs a peer review before it can be merged. Please request a review from a team member who is not:
Once a valid peer review is submitted, this check will pass automatically. Thank you! |
github-actions
bot
added
needs-peer-review
There was a problem hiding this comment.
Pull request overview
This PR addresses a security vulnerability in django-allauth 65.x by configuring the application to prevent account enumeration attacks during password reset. The change ensures that the system maintains consistent API responses while only sending emails to registered accounts, following OWASP security best practices.
Key Changes
- Security Configuration: Added
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = Falsesetting to prevent emails being sent to unknown accounts - Test Coverage: Implemented comprehensive tests verifying that unknown accounts receive no emails while maintaining consistent 200 OK responses
- Documentation: Created detailed security documentation explaining the implementation, attack prevention, and maintenance guidelines
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
blt/settings.py |
Added critical security setting ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False with explanatory comments to prevent account enumeration attacks |
website/tests/test_api.py |
Implemented TestPasswordResetUnknownEmail test class with two tests verifying correct behavior for both known and unknown email addresses |
docs/security/password-reset-security.md |
Comprehensive security documentation covering implementation details, configuration requirements, attack prevention mechanisms, and maintenance guidelines |
docs/ISSUE_RESOLUTION_SUMMARY.md |
Detailed analysis document explaining the django-allauth 65.x issue, the fix implementation, and verification results |
| print("\nTest: Password reset for unknown email") | ||
| print(f"Response status: {response.status_code}") | ||
| print(f"Response data: {response.json() if response.status_code == 200 else response.content}") | ||
| print(f"Emails sent: {len(mail.outbox)}") | ||
|
|
||
| # The response should be 200 OK to not reveal account existence | ||
| self.assertEqual(response.status_code, 200) | ||
|
|
||
| # But NO email should actually be sent for non-existent accounts | ||
| self.assertEqual(len(mail.outbox), 0, "No email should be sent for unknown accounts") | ||
|
|
||
| print("✓ Correct: No email sent for unknown account") | ||
| print("✓ Response still returns 200 OK (doesn't leak account existence)") |
There was a problem hiding this comment.
Print statements should be removed from test code before committing. According to the project's coding guidelines, print statements should only be used temporarily during development and removed before committing. Consider using Django's logging framework or removing these debugging statements entirely since the test assertions already verify the expected behavior.
| print("\nTest: Password reset for known email") | ||
| print(f"Response status: {response.status_code}") | ||
| print(f"Response data: {response.json() if response.status_code == 200 else response.content}") | ||
| print(f"Emails sent: {len(mail.outbox)}") | ||
|
|
||
| # The response should be 200 OK | ||
| self.assertEqual(response.status_code, 200) | ||
|
|
||
| # Email SHOULD be sent for existing accounts | ||
| self.assertEqual(len(mail.outbox), 1, "Email should be sent for known accounts") | ||
|
|
||
| print("✓ Correct: Email sent for known account") |
There was a problem hiding this comment.
Print statements should be removed from test code before committing. According to the project's coding guidelines, print statements should only be used temporarily during development and removed before committing. Consider using Django's logging framework or removing these debugging statements entirely since the test assertions already verify the expected behavior.
| def test_password_reset_known_email_sends_email(self): | ||
| """Test password reset with known email - should send email""" | ||
| # Create a user | ||
| user = get_user_model().objects.create_user( |
There was a problem hiding this comment.
Variable user is not used.
| user = get_user_model().objects.create_user( | |
| get_user_model().objects.create_user( |
github-project-automation
bot
moved this from Backlog
to Done
in 📌 OWASP BLT Project Board
Fixes a security vulnerability in django-allauth 65.x where the
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTSsetting defaults toTrue, causing emails to be sent to unknown email addresses during password reset. This reveals that accounts don't exist and enables account enumeration attacks.Problem
django-allauth 65.x introduced
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTSwhich defaults toTrue. When enabled, allauth callssend_unknown_account_mail()for non-existent email addresses during password reset, revealing that the account doesn't exist.Solution
Set
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = Falseinblt/settings.pyto disable this behavior and prevent account enumeration attacks.Changes
Configuration Fix (
blt/settings.py)ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = Falsewith security commentTests (
website/tests/test_api.py)TestPasswordResetUnknownEmailwith tests verifying:Documentation (
docs/security/password-reset-security.md)ACCOUNT_EMAIL_UNKNOWN_ACCOUNTSResolution summary (
docs/ISSUE_RESOLUTION_SUMMARY.md)Current behavior
Testing
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.