Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User from tenant scoped team can see machines that do not scope to the tenant #4454

Closed
mayuanyang opened this issue Apr 6, 2018 · 4 comments
Assignees
Labels
kind/bug This issue represents a verified problem we are committed to solving tag/permissions
Milestone

Comments

@mayuanyang
Copy link

mayuanyang commented Apr 6, 2018

Ticket: https://help.octopus.com/t/users-role-is-not-filtering-accessible-deployment-targets-based-on-tenant/19298/8

Why

Currently there is no restriction on machines that based on the scoped tenants, the restriction only apply on scoped environments

What can we do?

Apply the restrictions to machines based on scoped tenant. Check the filter logic in this class InaccessibleVariablesWillBeRemovedRule

The complication

Deployment target tenant setting can be Untenanted, Tenanted or Untenanted and Tenanted

  • Tenant scoped users should not be able to see untenanted machines
  • Tenant scoped users should not be able to see machine that does not scoped to the tenant
  • Untenanted users should not be able to see tenanted only machines
  • Should be more to add, let's have this one to start with

It is bad

Did a test that user scoped to 1 tenant T1
Project connected to tenants T1, T2 and T3
Deployment can only be made to T1

Thought that the user cannot deploy to the tenants that he does not have permission, but it does not prevent from other users from doing the deployment.

The impact: User can scope a variable to a machine that he is not allowed to with malicious value. He can then wait for another user with enough permission to deploy a release. malicious value will then get deployed to production.

@pawelpabich
Copy link

@octoreleasebot
Copy link

Release Note: Fixed a security hole where target and tenant tag variable scopes were not checked against the list of tenants the user has access to

@pawelpabich
Copy link

CVE-2018-10550

@lock
Copy link

lock bot commented Nov 23, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug This issue represents a verified problem we are committed to solving tag/permissions
Projects
None yet
Development

No branches or pull requests

3 participants