Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix TOTP detection that are password fields (like HackerOne) #2333

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

bwbroersma
Copy link
Contributor

Fixes #2332

@droidmonkey
Copy link
Member

This needs to be validated for regressions before merging.

@@ -1,7 +1,7 @@
'use strict';

const ignoreRegex = /(bank|coupon|postal|user|zip).*code|comment|author|error/i;
const ignoredTypes = [ 'email', 'password', 'username' ];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why password was removed. Standard TOTP fields aren't password fields, so this should be kept.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #2332 solution one, sometimes TOTP fields do have type=password.
Another solution would be the second one (an explicit accept), then the type!=password would also be bypassed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of making this change global, I'd suggest adding an exception for this site's TOTP detection to the sites.js.

Copy link
Member

@varjolintu varjolintu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of making this change global, I'd suggest adding an exception for this site's TOTP detection to the sites.js.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

HackerOne TOTP is instead seen as password field
3 participants