Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RolePermissions on MethodState can be bypassed #1661

Closed
1 of 5 tasks
elliot-gawthrop opened this issue Jan 11, 2022 · 0 comments · Fixed by #1831 · May be fixed by #1698
Closed
1 of 5 tasks

RolePermissions on MethodState can be bypassed #1661

elliot-gawthrop opened this issue Jan 11, 2022 · 0 comments · Fixed by #1831 · May be fixed by #1698
Labels
needs investigation server

Comments

@elliot-gawthrop
Copy link

elliot-gawthrop commented Jan 11, 2022
edited

Type of Issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Describe the Issue
When an object is instantiated of a type that contains a method (e.g. AcknowledgeableConditionType), and the RolePermissions are set on the instantiated method, the permissions can be bypassed by instead calling the type method.

This is because when the MasterNodeManager validates the request, it validates the roles on CallMethodRequest.MethodId - which does not refer to the concrete method. Then later on if this succeeds, CustomNodeManager2 acquires the concrete MethodState by calling method = source.FindMethod(systemContext, methodToCall.MethodId);. The permissions on this method are never validated.

Is this expected behavior? How is it possible to customize the role permissions for different concrete method nodes?
@mrsuciu mrsuciu linked a pull request May 31, 2022 that will close this issue
Enable call of methods that are part of the types or super types of the objectId on which the method is called #1698
Draft
OctaviaStan pushed a commit to OctaviaStan/UA-.NETStandard that referenced this issue May 31, 2022
Defer MethodId validation to the point where the actual MethodState t…
6a1cf98 
…hat tshall be executed is found to avoid executing a method that does not have the right access permissions. see OPCFoundation#1661
@OctaviaStan OctaviaStan mentioned this issue May 31, 2022
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs investigation server
Projects
None yet
Milestone
No milestone
2 participants
@mregen @elliot-gawthrop