Skip to content
Permalink
Browse files

fix: [security] missing ACL lookup on attribute correlations

- attribute correlation ACL checks are skipped when querying the attribute restsearch API revealing metadata about a correlating but unreachable attribute.

- Thanks to Jakub Onderka for his tireless work and for reporting this!
  • Loading branch information
iglocska committed Jun 22, 2020
1 parent 120658b commit 609bfbd450c933d21c50c9f0161d633c43413eb6
Showing with 11 additions and 5 deletions.
  1. +11 −5 app/Model/Attribute.php
@@ -1645,7 +1645,7 @@ public function isOwnedByOrg($attributeId, $org)
return $this->data['Event']['org_id'] === $org;
}

public function getRelatedAttributes($attribute, $fields=array(), $includeEventData = false)
public function getRelatedAttributes($user, $attribute, $fields=array(), $includeEventData = false)
{
// LATER getRelatedAttributes($attribute) this might become a performance bottleneck

@@ -1684,16 +1684,17 @@ public function getRelatedAttributes($attribute, $fields=array(), $includeEventD
'Attribute.value2' => array($attribute['value1'],$attribute['value2']),
);
}

$baseConditions = $this->buildConditions($user);
$baseConditions['AND'][] = $conditions;
// do the search
if (empty($fields)) {
$fields = array('Attribute.*');
}
$params = array(
'conditions' => $conditions,
'conditions' => $baseConditions,
'fields' => $fields,
'recursive' => 0,
'group' => array('Attribute.event_id'),
'group' => array('Attribute.id', 'Attribute.event_id', 'Attribute.object_id', 'Attribute.object_relation', 'Attribute.category', 'Attribute.type', 'Attribute.value', 'Attribute.uuid', 'Attribute.timestamp', 'Attribute.distribution', 'Attribute.sharing_group_id', 'Attribute.to_ids', 'Attribute.comment', 'Event.id', 'Event.uuid', 'Event.threat_level_id', 'Event.analysis', 'Event.info', 'Event.extends_uuid', 'Event.distribution', 'Event.sharing_group_id', 'Event.published', 'Event.date', 'Event.orgc_id', 'Event.org_id', 'Object.id', 'Object.uuid', 'Object.distribution', 'Object.name', 'Object.template_uuid', 'Object.distribution', 'Object.sharing_group_id'),
'order' => 'Attribute.event_id DESC'
);
if (!empty($includeEventData)) {
@@ -1702,6 +1703,11 @@ public function getRelatedAttributes($attribute, $fields=array(), $includeEventD
'fields' => array(
'Event.id', 'Event.uuid', 'Event.threat_level_id', 'Event.analysis', 'Event.info', 'Event.extends_uuid', 'Event.distribution', 'Event.sharing_group_id', 'Event.published', 'Event.date', 'Event.orgc_id', 'Event.org_id'
)
),
'Object' => array(
'fields' => array(
'Object.id', 'Object.uuid', 'Object.distribution', 'Object.name', 'Object.template_uuid', 'Object.distribution', 'Object.sharing_group_id'
)
)
);
}
@@ -3436,7 +3442,7 @@ public function fetchAttributes($user, $options = array(), &$continue = true)
}
if (!empty($options['includeCorrelations'])) {
$attributeFields = array('id', 'event_id', 'object_id', 'object_relation', 'category', 'type', 'value', 'uuid', 'timestamp', 'distribution', 'sharing_group_id', 'to_ids', 'comment');
$results[$k]['Attribute']['RelatedAttribute'] = ($this->getRelatedAttributes($results[$k]['Attribute'], $attributeFields, true));
$results[$k]['Attribute']['RelatedAttribute'] = ($this->getRelatedAttributes($user, $results[$k]['Attribute'], $attributeFields, true));
}
}
if (!$loop) {

0 comments on commit 609bfbd

Please sign in to comment.
You can’t perform that action at this time.