Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure only team admins can list other users #5657

Closed
GuillaumeRoss opened this issue May 10, 2022 · 5 comments
Closed

Ensure only team admins can list other users #5657

GuillaumeRoss opened this issue May 10, 2022 · 5 comments
Assignees
@xpkoala
Labels
bug Something isn't working as documented ~released bug This bug was found in a stable release. :reproduce Involves documenting reproduction steps in the issue ~risk-reduction Related to improvements that could help reduce risk of outages, security, privacy, or trust issues.

Comments

@GuillaumeRoss
Copy link
Contributor

Goal

TODO
In the April 2022 pentest of Fleet, it was discovered that it is possible to enumerate users with api/v1/fleet/users/<USERNUMBER>. Due to error messages that differ between valid and invalid emails and the lack of throttling, an authenticated users could enumerate valid email addresses.

This is a minor privacy issue, and we should address it by:

  1. Making enumeration possible only for team admins (so not for team observers or team maintainers). Admins should be able to enumerate so they can add users to their own teams.
  2. Potentially adding throttling.

When ready to start working on this, let's discuss the exact implementation details.
@lukeheath lukeheath added ~risk-reduction Related to improvements that could help reduce risk of outages, security, privacy, or trust issues. and removed security labels Jan 9, 2023
@mikermcneil
Copy link
Member

@xpkoala @lukeheath This is a bug, if it's still in the product, since this would mean Fleet isn't working as documented.

@mikermcneil mikermcneil added bug Something isn't working as documented :reproduce Involves documenting reproduction steps in the issue ~released bug This bug was found in a stable release. labels May 30, 2023
@lukeheath lukeheath assigned xpkoala and unassigned noahtalerman May 30, 2023
@lukeheath
Copy link
Member

@xpkoala Please reproduce, and if it's still present, assign it to Sharon. Thanks!

@xpkoala
Copy link
Contributor

xpkoala commented Jun 2, 2023

Confirm only admin access can hit this api, not rate limiting the endpoint is fine in this case. It that is the case we can close this out.

@lukeheath
Copy link
Member

Thanks for checking, closing as expected behavior.

@fleet-release
Copy link
Contributor

Admins guard the list,
Secure users' privacy,
Swift clouds protect all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xpkoala xpkoala

Labels
bug Something isn't working as documented ~released bug This bug was found in a stable release. :reproduce Involves documenting reproduction steps in the issue ~risk-reduction Related to improvements that could help reduce risk of outages, security, privacy, or trust issues.
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mikermcneil @lukeheath @xpkoala @noahtalerman @GuillaumeRoss @fleet-release