-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security concerns #100
Comments
For the specific security concern I mentionned above, I choose this approach:
The new code can be found here. |
@bufferoverflow @dlouzan May I ask some feedback on this, please? |
see #101 (comment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am currently trying to implement #99 and noticed that anybody can access any package as long as they are authenticated through Gitlab. (https://github.com/bufferoverflow/verdaccio-gitlab/blob/v2.2.0/src/gitlab.js#L158)
From what I understand, to check whether the user is allowed to access a package or not, we only check if its user is set.
There is no verification made to ensure the user is accessing a scope he owns or that he has the proper access rights.
I am currently working on #99 so I could tackle this issue as well, I think. We just have to properly discuss the approach to solve it.
Here is what I planned to do to solve #99:
allowAnyScope
. This tells the plugin that accessing a non-owned scope might be allowed.allowAnyScope
is true, we don't fail whenpackagePermit
is false. Instead, we retrieve_package.publish
and check if its value is withinuser.real_groups
.Doing this was easy but I didn't expect to be able to see/access my published package. That's how I found the security concern.
Proposed solution:
I think the behavior for
allow_access
should follow the same pattern asallow_publish
:If the user doesn't have access to the group/project, it cannot access the packages within that scope.
The text was updated successfully, but these errors were encountered: