Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Validator] Add a HaveIBeenPwned password validator#27738
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
stof commentedJun 27, 2018
This constraint already exist as a third-party one here:https://github.com/rollerworks/PasswordStrengthValidator/blob/v1.1.3/src/Validator/Constraints/P0wnedPassword.php I'm wondering whether we need to have it in core. |
dunglas commentedJun 27, 2018
I wasn't aware of this bundle! Thanks@stof for pointing it out. |
stof commentedJun 27, 2018
the threshold is not yet implemented there (it is always the equivalent of your |
Uh oh!
There was an error while loading.Please reload this page.
stloyd commentedJun 27, 2018
I was thinking about similar thing to add to Symfony, but after re-thinking the idea to have it core I decided to abandon it & probably propose it as documentation tutorial or something like that. Mostly cause it depends on external implementation. WDYT? |
linaori commentedJun 27, 2018
Great idea! I'm pretty sure that despite depending on a vendor, this would be a nice addition to the core. |
dunglas commentedJun 27, 2018 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I had the same feelings, but if it's good enough to be included in Firefox, with its huge user base. I guess it's good for us too. It's alsoused by 1password. |
Majkl578 left a comment• edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I believe this violates the license / ToS of the service:
In other words, you're welcome to use the public API to build other services, butyou must identify Have I Been Pwned as the source of the data . Clear and visible attribution with a link to haveibeenpwned.com should be present anywhere data from the service is used including when searching breaches or pastes and when representing breach descriptions. It doesn't have to be overt, butthe interface in which Have I Been Pwned data is represented should clearly attribute the source per the Creative Commons Attribution 4.0 International License.
By design, Symfony, as a server-side framework (and Validator, as server-side component), can't fulfill any of those requirements.
Also hardcoding HTTP requests tosome URL sounds like a really bad idea (should the service be compromised, all users are doomed and you are in serious security trouble).
ChangePlaces commentedJun 27, 2018 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Please don't turn symfony into laravel. The owners of this site could easily 'omit' certain passwords and will know what sites have such passwords. |
stof commentedJun 27, 2018
I don't understand what you mean here. If you don't call the URL, you cannot use the service at all. |
stof commentedJun 27, 2018
@Majkl578 the paragraph you pasted is titled |
dunglas commentedJun 27, 2018 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
This kind of comments aren't constructive and create a bad atmosphere. That being said, and even if I personally think that we've a lot to learn from Laravel, I don't get what the relation between this PR and Laravel is. AFAIK, they don't provide an integration with HaveIBeenPwned (yet).
The password hash isn't sent to the API (only the first 5 chars are). So the API cannot know the password used. You can refer to the Cloudflare paper about k-anonymity I linked in the PR description. Anyway, this site is run by a well known security expert from Microsoft, and trusted by internet backbones such as Firefox and CloudFlare. This feature is 100% optin, if you don't trust this service, don't use it. @Majkl578 In addition to what@stof said, I sent a mail to Troy Hunt to be sure we're in the path from a legal PoV. I think that it's the website that will use this validator that need to comply with ToS, not Symfony. We'll make that bold in the documentation. |
stof commentedJun 27, 2018
Licensing is not an issue:https://twitter.com/troyhunt/status/1012066309251592192 |
goetas commentedJun 27, 2018
Not really happy to see third party api landing into the symfony core (that's becoming bigger and bigger recently) |
teohhanhui commentedJun 28, 2018 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
maxCount should be minCount, i.e. it's considered as pwned if it's present for a minimum number of times. |
teohhanhui commentedJun 28, 2018 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
IMO we could add an optional dependency on a third-party HTTP client. Since there's no PSR, the closest thing ishttps://github.com/php-http/httplug Edit: There's a draft PSR-18:https://github.com/php-fig/fig-standards/blob/master/proposed/http-client/http-client.md |
| protected function createValidator() | ||
| { | ||
| $httpClient = function (string $url) { | ||
| if ('https://api.pwnedpasswords.com/range/3EF27' === $url) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
String instead of constant? Just asking. :)
private const API_ERROR_VALIDATOR_STRING or sth like that, maybe?
dunglas commentedJun 28, 2018
@teohhanhui I think it's safer to wait for PSR-18 and use something lightweight like the current signature for now. It will be easy to switch when PSR-18 will be stable. |
dunglas commentedJun 28, 2018
@teohhanhui I planned to switch to |
ChangePlaces commentedJun 28, 2018
Also wanted to point out, the twitter stream of the guy responsible for this service has many messages of him talking about how much it's costing to host the service. Never a good sign. |
| return; | ||
| } | ||
| $httpClient = $this->httpClient; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Seems unecessary
| $hashPrefix = substr($hash, 0, 5); | ||
| $url = sprintf(self::RANGE_API, $hashPrefix); | ||
| $result = $httpClient->request('GET', $url)->getContent(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If the endpoint is unavailable (500/503/... for instance), what should we do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Currently, we throw. But this has been discussed at some point, I'll add an option to ignore this constraint if the API is down (disabled by default).
src/Symfony/Component/Validator/Tests/Constraints/NotPwnedValidatorTest.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
| public function testThresholdNotReached() | ||
| { | ||
| $constraint = new NotPwned(['threshold' => 10]); | ||
| $this->validator->validate(self::PASSWORD_LEAKED, $constraint); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| $this->validator->validate(self::PASSWORD_LEAKED,$constraint); | |
| $this->validator->validate(self::PASSWORD_LEAKED,newNotPwned(['threshold' =>10])); |
Uh oh!
There was an error while loading.Please reload this page.
dunglas commentedMar 21, 2019
Should be ready to be merged |
| return; | ||
| } | ||
| throw $e; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I still don't think that throwing here by default makes sense. What should be configurable is whether a HTTP failure will make the validator create a constraint violation or just skip.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I still don't think that throwing here by default makes sense.
The system must be as secure as possible by default. If there is an outage for the service, I prefer to retry latter to create the account of my company user than letting using something like "mum", or one that already has leaked. Now this behavior can be change using a simple attribute.
What should be configurable is whether a HTTP failure will make the validator create a constraint violation or just skip.
It's exactly what the new attribute does, or am I missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Throwing an exception will not create a constraint violation, but will lead in a server error. From the user's point of view that's the worst that could happen as they won't get any feedback of what went wrong and if there is anything they could do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
But if de don’t throw, how the monitoring system will detect the ongoing issue? It should be very exceptional and should probably trigger an alert.
Alternatively I can change the attribute to accept three value: throw (default), skip or fail. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think we should log by default and add ascream option (defaulting tofalse) to allow to opt-in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If there is an exception it basically means that 3rd party is down, which means that there is an unrecoverable error. If you (as a system) decided that whatever password entered should NOT have been "pwned" then at this point we should throw an exception here, not log something. Now, if you "prefer" it to not have been "pwned" just setskipOnError to true and you're covered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'm on the same side as@sroze
fabpot commentedMar 31, 2019
This one should be in 4.3 :) Let's talk on Slack about the best way to finish it. |
sroze left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks good to me 👍
| return; | ||
| } | ||
| throw $e; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If there is an exception it basically means that 3rd party is down, which means that there is an unrecoverable error. If you (as a system) decided that whatever password entered should NOT have been "pwned" then at this point we should throw an exception here, not log something. Now, if you "prefer" it to not have been "pwned" just setskipOnError to true and you're covered.
fabpot commentedApr 1, 2019
Thank you@dunglas. |
…unglas)This PR was squashed before being merged into the 4.3-dev branch (closes#27738).Discussion----------[Validator] Add a HaveIBeenPwned password validator| Q | A| ------------- | ---| Branch? | master| Bug fix? | no| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->| BC breaks? | no <!-- seehttps://symfony.com/bc -->| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->| Tests pass? | yes <!-- please add some, will be required by reviewers -->| Fixed tickets | n/a <!-- #-prefixed issue number(s), if any -->| License | MIT| Doc PR | todoThis PR adds a new `Pwned` validation constraint to prevent users to choose passwords that have been leaked in public data breaches.The validator uses thehttps://haveibeenpwned.com/ API. The implementation is similar to the one used by [Firefox Monitor](https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/). It allows to not expose the password hash using a k-anonymity model. The specific implementation for HaveIBeenPwned has been [described in depth by Cloudflare](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/).Usage:```php// Rejects the password if is present in any number of times in any data breachclass User{ /**@pwned */ public $plainPassword;}// Rejects the password if is present more than 5 times in data breachesclass User{ /**@pwned(maxCount=5) */ public $plainPassword;}// Customize the error messageclass User{ /**@pwned(message='Please select another password, this one has already been hacked.') */ public $plainPassword;}```Commits-------ec1ded8 [Validator] Add a HaveIBeenPwned password validator
| protected static $errorNames = [self::PWNED_ERROR => 'PWNED_ERROR']; | ||
| public $message = 'This password has been leaked in a data breach, it must not be used. Please use another password.'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
should be added invalidators.en.xlf + any language you know :)
not sure we'll do another round of good first issues for the remaining locales :}
| use Symfony\Component\Validator\Constraint; | ||
| /** | ||
| * Checks if a password has been leaked in a data breach. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
perhaps clarify the password should NOT be leaked :/
…javiereguiluz)This PR was squashed before being merged into the master branch (closes#11300).Discussion----------Added docs for the NotCompromisedPassword constraintDocumentssymfony/symfony#27738.Commits-------78a9387 Added docs for the NotCompromisedPassword constraint
This PR was squashed before being merged into the 3.4 branch (closes#32539).Discussion----------[Validator] Add missing Hungarian translations| Q | A| ------------- | ---| Branch? | 3.4| Bug fix? | no| New feature? | no| BC breaks? | no <!-- seehttps://symfony.com/bc -->| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->| Tests pass? | yes <!-- please add some, will be required by reviewers -->| Fixed tickets | - <!-- #-prefixed issue number(s), if any -->| License | MIT| Doc PR | - <!-- required for new features --><!--Replace this notice by a short README for your feature/bugfix. This will help peopleunderstand your PR and can be used as a start for the documentation.Additionally (seehttps://symfony.com/roadmap): - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against branch 4.4. - Legacy code removals go to the master branch.-->It has 2 messages translated to Hungarian introduced in#27738 and#32435. AFAIK it should be based on 3.4, but tell me if I should rebase any of the commits.Commits-------2fee912 [Validator] Add missing Hungarian translations
This PR was squashed before being merged into the 3.4 branch (closes #32539).Discussion----------[Validator] Add missing Hungarian translations| Q | A| ------------- | ---| Branch? | 3.4| Bug fix? | no| New feature? | no| BC breaks? | no <!-- seehttps://symfony.com/bc -->| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->| Tests pass? | yes <!-- please add some, will be required by reviewers -->| Fixed tickets | - <!-- #-prefixed issue number(s), if any -->| License | MIT| Doc PR | - <!-- required for new features --><!--Replace this notice by a short README for your feature/bugfix. This will help peopleunderstand your PR and can be used as a start for the documentation.Additionally (seehttps://symfony.com/roadmap): - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against branch 4.4. - Legacy code removals go to the master branch.-->It has 2 messages translated to Hungarian introduced insymfony/symfony#27738 andsymfony/symfony#32435. AFAIK it should be based on 3.4, but tell me if I should rebase any of the commits.Commits-------2fee9124ba [Validator] Add missing Hungarian translations
This PR adds a new
Pwnedvalidation constraint to prevent users to choose passwords that have been leaked in public data breaches.The validator uses thehttps://haveibeenpwned.com/ API. The implementation is similar to the one used byFirefox Monitor. It allows to not expose the password hash using a k-anonymity model. The specific implementation for HaveIBeenPwned has beendescribed in depth by Cloudflare.
Usage: