ISPN-14985 CVE-2023-3628 Check bulk read permissions for REST keys/en…

…tries
infinispan · Sep 26, 2023 · b34488d · b34488d
1 parent 835efef
commit b34488d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/server/rest/src/main/java/org/infinispan/rest/resources/CacheResourceV2.java b/server/rest/src/main/java/org/infinispan/rest/resources/CacheResourceV2.java
@@ -442,6 +442,10 @@ private CompletionStage<RestResponse> streamKeys(RestRequest request) {
       AdvancedCache<Object, ?> cache = invocationHelper.getRestCacheManager().getCache(cacheName, TEXT_PLAIN, MATCH_ALL, request);
       if (cache == null)
          return invocationHelper.newResponse(request, NOT_FOUND).toFuture();
+      AuthorizationManager authorizationManager = SecurityActions.getCacheAuthorizationManager(cache);
+      if (authorizationManager != null) {
+         authorizationManager.checkPermission(AuthorizationPermission.BULK_READ);
+      }
 
       NettyRestResponse.Builder responseBuilder = invocationHelper.newResponse(request);
 
@@ -477,6 +481,11 @@ private CompletionStage<RestResponse> streamEntries(RestRequest request) {
       AdvancedCache<?, ?> cache = invocationHelper.getRestCacheManager().getCache(cacheName, request).getAdvancedCache();
       if (cache == null) return invocationHelper.newResponse(request, NOT_FOUND).toFuture();
 
+      AuthorizationManager authorizationManager = SecurityActions.getCacheAuthorizationManager(cache);
+      if (authorizationManager != null) {
+         authorizationManager.checkPermission(AuthorizationPermission.BULK_READ);
+      }
+
       final MediaType keyMediaType = getMediaType(negotiate, cache, true);
       final MediaType valueMediaType = getMediaType(negotiate, cache, false);
 

diff --git a/...sts/src/test/java/org/infinispan/server/security/authorization/RESTAuthorizationTest.java b/...sts/src/test/java/org/infinispan/server/security/authorization/RESTAuthorizationTest.java
@@ -205,6 +205,8 @@ private void testRestWriterCannotRead(String... explicitRoles) {
             .cache(ext.getMethodName());
       assertStatus(NO_CONTENT, writerCache.put("k1", "v1"));
       assertStatus(FORBIDDEN, writerCache.get("k1"));
+      assertStatus(FORBIDDEN, writerCache.keys());
+      assertStatus(FORBIDDEN, writerCache.entries());
       for (TestUser user : EnumSet.of(TestUser.OBSERVER, TestUser.DEPLOYER)) {
          RestCacheClient userCache = ext.rest().withClientConfiguration(restBuilders.get(user)).get()
                .cache(ext.getMethodName());