From 68407ca5be644d1c53fb894453df951230afc6dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9C=C3=A9?= Date: Tue, 2 Oct 2018 00:01:54 +0200 Subject: [PATCH] security breach on action case insensitivity --- src/Security/AdminAuthorizationChecker.php | 3 ++ tests/Controller/UserRolesTest.php | 47 ++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/src/Security/AdminAuthorizationChecker.php b/src/Security/AdminAuthorizationChecker.php index 953f343..e2a55d4 100644 --- a/src/Security/AdminAuthorizationChecker.php +++ b/src/Security/AdminAuthorizationChecker.php @@ -62,6 +62,9 @@ public function isEasyAdminGranted(array $entityConfig, string $actionName, $sub protected function getRequiredRole(array $entityConfig, string $actionName) { + // Prevent from security breach: role for 'list' action was not required for 'List' nor 'LIST'... + $actionName = strtolower($actionName); + if (isset($entityConfig[$actionName]) && isset($entityConfig[$actionName]['role'])) { return $entityConfig[$actionName]['role']; } elseif (isset($entityConfig['role_prefix'])) { diff --git a/tests/Controller/UserRolesTest.php b/tests/Controller/UserRolesTest.php index 92e596e..b5784d8 100644 --- a/tests/Controller/UserRolesTest.php +++ b/tests/Controller/UserRolesTest.php @@ -191,4 +191,51 @@ public function testAdminGroupRolesFormMayDisplay() $crawler->filter('form#edit-admingroup-form .field-easyadmin_admin_roles input[type="checkbox"]')->count() ); } + + public function testEntityActionsAreForbiddenOnCaseInsensitiveSpecificRoles() + { + $this->logIn(['ROLE_ADMIN']); + + $this->client->followRedirects(); + + // Edit + $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'edit', 'id' => 1]); + $this->assertSame(403, $this->client->getResponse()->getStatusCode()); + $this->assertSame( + 'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)', + trim($crawler->filterXPath('//head/title')->text()) + ); + $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Edit', 'id' => 1]); + $this->assertSame(403, $this->client->getResponse()->getStatusCode()); + $this->assertSame( + 'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)', + trim($crawler->filterXPath('//head/title')->text()) + ); + $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'EDIT', 'id' => 1]); + $this->assertSame(403, $this->client->getResponse()->getStatusCode()); + $this->assertSame( + 'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)', + trim($crawler->filterXPath('//head/title')->text()) + ); + + // Show + $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'show', 'id' => 1]); + $this->assertSame(403, $this->client->getResponse()->getStatusCode()); + $this->assertSame( + 'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)', + trim($crawler->filterXPath('//head/title')->text()) + ); + $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Show', 'id' => 1]); + $this->assertSame(403, $this->client->getResponse()->getStatusCode()); + $this->assertSame( + 'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)', + trim($crawler->filterXPath('//head/title')->text()) + ); + $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'SHOW', 'id' => 1]); + $this->assertSame(403, $this->client->getResponse()->getStatusCode()); + $this->assertSame( + 'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)', + trim($crawler->filterXPath('//head/title')->text()) + ); + } }