Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] Insufficient ACL checks in the attachment downloader …
…fixed

- Thanks to Jakub Onderka for reporting it
  • Loading branch information
mokaddem committed Jun 29, 2020
1 parent 6321e02 commit d14ce7d
Showing 1 changed file with 25 additions and 28 deletions.
53 changes: 25 additions & 28 deletions app/Controller/AttributesController.php
Expand Up @@ -349,21 +349,19 @@ public function add($eventId = false)

public function download($id = null)
{
$this->Attribute->id = $id;
if (!$this->Attribute->exists()) {
throw new NotFoundException(__('Invalid attribute'));
if (is_numeric($id)) {
$conditions = array('Attribute.id' => $id);
} elseif (Validation::uuid($id)) {
$conditions = array('Attribute.uuid' => $id);
} else {
throw new NotFoundException(__('Invalid attribute id.'));
}
$conditions['Attribute.type'] = array('attachment', 'malware-sample');
$attributes = $this->Attribute->fetchAttributes($this->Auth->user(), array('conditions' => $conditions, 'flatten' => true));
if (empty($attributes)) {
throw new UnauthorizedException(__('Attribute does not exists or you do not have the permission to download this attribute.'));
}
$this->Attribute->read();
if (!$this->_isSiteAdmin() &&
$this->Auth->user('org_id') !=
$this->Attribute->data['Event']['org_id'] &&
(
$this->Attribute->data['Event']['distribution'] == 0 ||
$this->Attribute->data['Attribute']['distribution'] == 0
)) {
throw new UnauthorizedException(__('You do not have the permission to view this event.'));
}
$this->__downloadAttachment($this->Attribute->data['Attribute']);
$this->__downloadAttachment($attributes[0]['Attribute']);
}

private function __downloadAttachment($attribute)
Expand Down Expand Up @@ -2016,20 +2014,19 @@ public function downloadAttachment($key='download', $id)
if (!$user) {
throw new UnauthorizedException(__('This authentication key is not authorized to be used for exports. Contact your administrator.'));
}
$this->Attribute->id = $id;
if (!$this->Attribute->exists()) {
throw new NotFoundException(__('Invalid attribute or no authorisation to view it.'));
}
$this->Attribute->read(null, $id);
if (!$user['User']['siteAdmin'] &&
$user['User']['org_id'] != $this->Attribute->data['Event']['org_id'] &&
(
$this->Attribute->data['Event']['distribution'] == 0 ||
$this->Attribute->data['Attribute']['distribution'] == 0
)) {
throw new NotFoundException(__('Invalid attribute or no authorisation to view it.'));
}
$this->__downloadAttachment($this->Attribute->data['Attribute']);
if (is_numeric($id)) {
$conditions = array('Attribute.id' => $id);
} elseif (Validation::uuid($id)) {
$conditions = array('Attribute.uuid' => $id);
} else {
throw new NotFoundException(__('Invalid attribute id.'));
}
$conditions['Attribute.type'] = array('attachment', 'malware-sample');
$attributes = $this->Attribute->fetchAttributes($user, array('conditions' => $conditions, 'flatten' => true));
if (empty($attributes)) {
throw new UnauthorizedException(__('Attribute does not exists or you do not have the permission to download this attribute.'));
}
$this->__downloadAttachment($attributes[0]['Attribute']);
}

public function text()
Expand Down

0 comments on commit d14ce7d

Please sign in to comment.