Invalid username (JID) will crash oauth process

Bug description

An invalid username will crash the ejabberd_oauth process.
See:

Lines 597 to 598 in 6bd4399

    
           StringJID = proplists:get_value(<<"username">>, Q, <<"">>), 
        
           #jid{user = Username, server = Server} = jid:decode(StringJID),

Errors thrown by jid:decode(StringJID) will crash the process as they are not caught.

https://github.com/processone/xmpp/blob/eec76d8d13ae3a774f373af16e139727bbd0be02/src/jid.erl#L135-L144

You can reproduce the issue by supplying a username that will trigger a tr0 case and set ret = 0 which return an error atom.

https://github.com/processone/xmpp/blob/master/c_src/jid.c

A malicious actor could keep submitting requests with an invalid username to cause DOS and prevent other users to log in.

Expected Behaviour

The process should not crash. The error should be handled in ejabberd_oauth

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid username (JID) will crash oauth process #4355

Bug description

Expected Behaviour

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	StringJID = proplists:get_value(<<"username">>, Q, <<"">>),
	#jid{user = Username, server = Server} = jid:decode(StringJID),

Invalid username (JID) will crash oauth process #4355

Description

Bug description

Expected Behaviour

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions