[Bug] BruteForce login logic doesn't validate login type

[samjf]

What happened?

Many fatal errors are produced in the logs and brute force blocking is likely not activated when malformed input is send to the reset password endpoint.

The stack trace produced is the following:

Error: {"message":"Piwik\\Plugins\\Login\\Model::getTotalLoginAttemptsInLastHourForLogin(): Argument 
#1 ($login) must be of type string, array given, called in code_dir\/plugins\/Login\/Security\/BruteForceDetection.php on line 169","file":"code_dir\/plugins\/Login\/Model.php","line":34,"request_id":"7172c","backtrace":" on code_dir\/plugins\/Login\/Model.php(34)\n
#0 code_dir\/plugins\/Login\/Security\/BruteForceDetection.php(169): Piwik\\Plugins\\Login\\Model->getTotalLoginAttemptsInLastHourForLogin()\n
#1 code_dir\/plugins\/Login\/Login.php(184): Piwik\\Plugins\\Login\\Security\\BruteForceDetection->isUserLoginBlocked()\n
#2 [internal function]: Piwik\\Plugins\\Login\\Login->beforeLoginCheckBruteForce()\n
#3 code_dir\/core\/EventDispatcher.php(150): call_user_func_array()\n
#4 code_dir\/core\/Piwik.php(880): Piwik\\EventDispatcher->postEvent()\n
#5 code_dir\/core\/FrontController.php(643): Piwik\\Piwik::postEvent()\n
#6 code_dir\/core\/FrontController.php(169): Piwik\\FrontController->doDispatch()\n
#7 code_dir\/core\/dispatch.php(33): Piwik\\FrontController->dispatch()\n
#8 code_dir\/index.php(25): require_once('...')\n
#9 {main}","safemode_backtrace":"
#0 [internal function]: Piwik\\Plugins\\Cloud\\Controller->safemode()\n
#1 \/core\/FrontController.php(645): call_user_func_array()\n
#2 \/core\/FrontController.php(169): Piwik\\FrontController->doDispatch()\n
#3 \/core\/FrontController.php(100): Piwik\\FrontController->dispatch()\n
#4 \/core\/FrontController.php(140): Piwik\\FrontController::()\n
#5 \/core\/FrontController.php(196): Piwik\\FrontController::()\n
#6 \/core\/dispatch.php(33): Piwik\\FrontController->dispatch()\n
#7 \/index.php(25): require_once('...')\n
#8 {main}"}

With additional content in the post:

GET: {"module":"Login"}
POST: {"action":"resetPassword","form_login":{"..."}}

A sample of the post data was provided above. I believe it is the dictionary/object structure provided to form_login that produces the error.

What should happen?

Malformed login details should be validated and trigger the brute force activation instead of producing a fatal error.

How can this be reproduced?

Send requests to the following endpoint with an array for the form_login:

GET: {"module":"Login"}
POST: {"action":"resetPassword","form_login":{"..."}}

Matomo version

5.3.0

PHP version

8.2

Server operating system

Linux

What browsers are you seeing the problem on?

Firefox

Computer operating system

No response

Relevant log output

No response

Validations

• Read our Contributing Guidelines.
• Follow our Security Policy.
• Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
• The provided steps to reproduce is a minimal reproducible of the Bug.