fix: remove activation_key from account REST API response#832
Conversation
samuelallan72
left a comment
samuelallan72
left a comment
There was a problem hiding this comment.
This misses the change to openedx/core/djangoapps/user_api/accounts/views.py from the upstream commit ( openedx@ad342ae ) - see this line: https://github.com/open-craft/edx-platform/blob/ed8ca52fd49bc9812e3257c25079c49cb0e4878e/openedx/core/djangoapps/user_api/accounts/views.py#L174 . Not critical, but I think important to retain the patch as a whole to avoid confusing code drift.
Also, please show in the commit and PR description that this is a cherry pick of openedx@ad342ae
|
@samuelallan72 It does remove that change, but that change is applied after a massive rewrite of the docstring. I removed it to lower the amount of conflicting lines. I'm not sure that adding the full docstring will apply cleaner, since the commit which adds that full documentation won't come til much later, causing a conflict down the line. |
|
@Kelketek ah I see. In that case, dropping that docstring diff seems fine to me. Please still update the PR descriptions and commit messages to show the cherry pick. :) |
cherry-pick from upstream: openedx#38241 The activation_key field was exposed in /api/user/v1/accounts/{username}, allowing an attacker to bypass email verification by combining two behaviors: 1. OAuth2 password grant issues tokens to inactive users (intentional) 2. activation_key returned in API response (the vulnerability) An attacker could register, get an OAuth2 token, read the activation_key from the API, then GET /activate/{key} to activate without email access. Fix: remove activation_key from UserReadOnlySerializer.to_representation() and from ACCOUNT_VISIBILITY_CONFIGURATION["admin_fields"] (which controls the field whitelist in _filter_fields — listed fields default to None even if absent from the serializer data dict). Reported by Daniel Baillo via the Open edX security working group. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Kelketek
force-pushed
the
fox/offline-branch-activation-patch
branch
from
ed8ca52 to
2528c4a
Compare
samuelallan72
left a comment
samuelallan72
left a comment
There was a problem hiding this comment.
@Kelketek 👍 Thanks!
- I tested this: checked this matches the upstream patch, checked it appears to apply cleanly, checked that the failing tests aren't related
- I read through the code
- I checked for accessibility issues
- Includes documentation
3 participants
cherry-pick from upstream: openedx#38241
The activation_key field was exposed in /api/user/v1/accounts/{username}, allowing an attacker to bypass email verification by combining two behaviors:
An attacker could register, get an OAuth2 token, read the activation_key from the API, then GET /activate/{key} to activate without email access.
Fix: remove activation_key from UserReadOnlySerializer.to_representation() and from ACCOUNT_VISIBILITY_CONFIGURATION["admin_fields"] (which controls the field whitelist in _filter_fields — listed fields default to None even if absent from the serializer data dict).
Reported by Daniel Baillo via the Open edX security working group.