Description
The registration form reveals whether an email address is already registered by showing a distinct error message ("already exists") via Django's ModelForm.validate_unique(). This enables user enumeration.
Spec Sections: S10D (US-XA-023)
Severity: LOW — security hardening, not a critical vulnerability
MoSCoW: SHOULD
What the spec requires
US-XA-023: "Prevent user enumeration on registration" — the registration response should be identical whether the email is new or already exists.
What currently exists
Django's default ModelForm.validate_unique() adds a field error when the email already exists, which is rendered differently from a successful registration. An attacker can distinguish between "email exists" and "email is new."
Xfail Test Coverage (2 tests)
| File |
Test |
Reason |
test_cross_actor.py |
TestUS_XA_023::test_duplicate_registration_does_not_leak_existence |
Registration form leaks email existence via "already exists" error |
test_cross_actor.py |
TestUS_XA_023_Deep::test_registration_same_response_for_existing_email |
Registration form leaks email existence via ModelForm.validate_unique() |
Branch: feature/test-reorganisation-and-functional-suite (PR #37)
Description
The registration form reveals whether an email address is already registered by showing a distinct error message ("already exists") via Django's
ModelForm.validate_unique(). This enables user enumeration.Spec Sections: S10D (US-XA-023)
Severity: LOW — security hardening, not a critical vulnerability
MoSCoW: SHOULD
What the spec requires
US-XA-023: "Prevent user enumeration on registration" — the registration response should be identical whether the email is new or already exists.
What currently exists
Django's default
ModelForm.validate_unique()adds a field error when the email already exists, which is rendered differently from a successful registration. An attacker can distinguish between "email exists" and "email is new."Xfail Test Coverage (2 tests)
test_cross_actor.pyTestUS_XA_023::test_duplicate_registration_does_not_leak_existencetest_cross_actor.pyTestUS_XA_023_Deep::test_registration_same_response_for_existing_emailModelForm.validate_unique()Branch:
feature/test-reorganisation-and-functional-suite(PR #37)