[Bug] BruteForce login logic doesn't validate login type #22929
Description
What happened?
Many fatal errors are produced in the logs and brute force blocking is likely not activated when malformed input is send to the reset password endpoint.
The stack trace produced is the following:
Error: {"message":"Piwik\\Plugins\\Login\\Model::getTotalLoginAttemptsInLastHourForLogin(): Argument
#1 ($login) must be of type string, array given, called in code_dir\/plugins\/Login\/Security\/BruteForceDetection.php on line 169","file":"code_dir\/plugins\/Login\/Model.php","line":34,"request_id":"7172c","backtrace":" on code_dir\/plugins\/Login\/Model.php(34)\n
#0 code_dir\/plugins\/Login\/Security\/BruteForceDetection.php(169): Piwik\\Plugins\\Login\\Model->getTotalLoginAttemptsInLastHourForLogin()\n
#1 code_dir\/plugins\/Login\/Login.php(184): Piwik\\Plugins\\Login\\Security\\BruteForceDetection->isUserLoginBlocked()\n
#2 [internal function]: Piwik\\Plugins\\Login\\Login->beforeLoginCheckBruteForce()\n
#3 code_dir\/core\/EventDispatcher.php(150): call_user_func_array()\n
#4 code_dir\/core\/Piwik.php(880): Piwik\\EventDispatcher->postEvent()\n
#5 code_dir\/core\/FrontController.php(643): Piwik\\Piwik::postEvent()\n
#6 code_dir\/core\/FrontController.php(169): Piwik\\FrontController->doDispatch()\n
#7 code_dir\/core\/dispatch.php(33): Piwik\\FrontController->dispatch()\n
#8 code_dir\/index.php(25): require_once('...')\n
#9 {main}","safemode_backtrace":"
#0 [internal function]: Piwik\\Plugins\\Cloud\\Controller->safemode()\n
#1 \/core\/FrontController.php(645): call_user_func_array()\n
#2 \/core\/FrontController.php(169): Piwik\\FrontController->doDispatch()\n
#3 \/core\/FrontController.php(100): Piwik\\FrontController->dispatch()\n
#4 \/core\/FrontController.php(140): Piwik\\FrontController::()\n
#5 \/core\/FrontController.php(196): Piwik\\FrontController::()\n
#6 \/core\/dispatch.php(33): Piwik\\FrontController->dispatch()\n
#7 \/index.php(25): require_once('...')\n
#8 {main}"}
With additional content in the post:
GET: {"module":"Login"}
POST: {"action":"resetPassword","form_login":{"..."}}
A sample of the post data was provided above. I believe it is the dictionary/object structure provided to form_login that produces the error.
What should happen?
Malformed login details should be validated and trigger the brute force activation instead of producing a fatal error.
How can this be reproduced?
Send requests to the following endpoint with an array for the form_login:
GET: {"module":"Login"}
POST: {"action":"resetPassword","form_login":{"..."}}
Matomo version
5.3.0
PHP version
8.2
Server operating system
Linux
What browsers are you seeing the problem on?
Firefox
Computer operating system
No response
Relevant log output
No response
Validations
- Read our Contributing Guidelines.
- Follow our Security Policy.
- Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
- The provided steps to reproduce is a minimal reproducible of the Bug.