Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardening of the RBAC check #1581

Closed
martinpovolny opened this issue Feb 5, 2015 · 11 comments
Closed

Hardening of the RBAC check #1581

martinpovolny opened this issue Feb 5, 2015 · 11 comments

Comments

@martinpovolny
Copy link
Contributor

The current code in app/controllers/application_controller.rb that does RBAC checking is:

  def check_generic_rbac                                                                            
    ident = "#{controller_name}_#{action_name}"                                                     
    if MiqProductFeature.feature_exists?(ident)                                                     
      role_allows(:feature => ident, :any => true)                                                  
    else                                                                                            
      valid_route?(request.request_method, controller_name, action_name)                            
    end                                                                                             
  end

Meaning that if we do not find particular RBAC feature, we just validate the existence of a route and let the request in.

The routes are whitelisted in the route file and effort was put into making sure that we have all the features defined.

Right now I don't see an exploit for this as there would have to be extra route for this to an action what does not have RBAC feature and check defined.

However for a developer it's easy to forget and expose something this way.

Therefor we shoud we should change the code to:

  def check_generic_rbac                                                                            
    ident = "#{controller_name}_#{action_name}"                                                     
    if MiqProductFeature.feature_exists?(ident)                                                     
      role_allows(:feature => ident, :any => true)                                                  
    else                                                                                            
      false
    end                                                                                             
  end

and fix or change whatever is needed to be done to make everything work as before from the user perspective.

@Fryguy
Copy link
Member

Fryguy commented Feb 6, 2015

@matthewd This might be relevant to your changes.

@miq-bot
Copy link
Member

miq-bot commented Jun 24, 2017

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!

@miq-bot miq-bot added the stale label Jun 24, 2017
@JPrause
Copy link
Member

JPrause commented Nov 27, 2018

@martinpovolny is this still a valid issue? If not, can you close it.

@JPrause
Copy link
Member

JPrause commented Jan 16, 2019

@martinpovolny looks like this issue has been open for some time and is now stale.
If this issue can be closed, can you do so.
Otherwise, if you'd like it to stay open, please remove the stale label.

@martinpovolny
Copy link
Contributor Author

@miq_ bot move_issue ManageIQ/manageiq-ui-classic

@martinpovolny
Copy link
Contributor Author

Yes, this is opened for some time and the problem is still there. Trying to move the issue to ui-classic.

@JPrause
Copy link
Member

JPrause commented Jan 22, 2019

@miq-bot remove_label stale
@h-kataria can you move this to ui-classic

@miq-bot miq-bot removed the stale label Jan 22, 2019
@miq-bot miq-bot added the stale label Jul 29, 2019
@miq-bot
Copy link
Member

miq-bot commented Jul 29, 2019

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!

@JPrause
Copy link
Member

JPrause commented Sep 25, 2019

@miq-bot remove_label stale

@miq-bot miq-bot removed the stale label Sep 25, 2019
@JPrause
Copy link
Member

JPrause commented Sep 25, 2019

@miq-bot add_label pinned

@miq-bot miq-bot added the pinned label Sep 25, 2019
@gtanzillo
Copy link
Member

Closing as this has already been addressed by GHSA-46q7-rqqj-pxxj

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants