Uploaded image for project: 'Opencast'
  1. MH-11175

user-util REST endpoint may grant more rights than requested

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed and reviewed
    • Affects versions: 2.0.1, 2.1.0
    • Fix versions: 2.0.2, 2.1.0
    • Components: RESTful Interfaces
    • Labels:
      None
    • Severity:
      Security
    • Steps to reproduce:
      Hide
      Have a look at the user-utils endpoint docs (POST method):
        http://octestallinone.virtuos.uos.de:8080/docs.html?path=/user-utils

      […]

      Now I tried to circumvent the problem by sending more data. I found
      that not omitting the roles fixed the problem and would create a user:

          curl -i -f --digest -u opencast_system_account:CHANGE_ME \
            -H "X-Requested-Auth: Digest"
            http://octestallinone.virtuos.uos.de:8080/user-utils/ -F
            username=123 -F password=b -F 'roles='

        But now, when I had a look at what was actually created:

          curl -f --digest -u opencast_system_account:CHANGE_ME \
            -H "X-Requested-Auth: Digest"
            http://octestallinone.virtuos.uos.de:8080/user-utils/users.json

        …you will get something like:

          {
            username: "123",
            provider: "matterhorn",
            manageable: true,
            roles: {
              role: {
                name: "ROLE_ANONYMOUS",
                organization: {...}
              }
            },
            organization: {...}
          }

        Wait, what? Why did I get a role assigned to me without specifying
        one? That is security relevant.
      Show
      Have a look at the user-utils endpoint docs (POST method):    http://octestallinone.virtuos.uos.de:8080/docs.html?path=/user-utils […] Now I tried to circumvent the problem by sending more data. I found that not omitting the roles fixed the problem and would create a user:     curl -i -f --digest -u opencast_system_account:CHANGE_ME \       -H "X-Requested-Auth: Digest"        http://octestallinone.virtuos.uos.de:8080/user-utils/ -F       username=123 -F password=b -F 'roles='   But now, when I had a look at what was actually created:     curl -f --digest -u opencast_system_account:CHANGE_ME \       -H "X-Requested-Auth: Digest"        http://octestallinone.virtuos.uos.de:8080/user-utils/users.json   …you will get something like:     {       username: "123",       provider: "matterhorn",       manageable: true,       roles: {         role: {           name: "ROLE_ANONYMOUS",           organization: {...}         }       },       organization: {...}     }   Wait, what? Why did I get a role assigned to me without specifying   one? That is security relevant.

      TestRail: Results

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                lkiesow Lars Kiesow
                Reporter:
                lkiesow Lars Kiesow
              • Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  TestRail: Cases