Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Search function exposes data leakage and a security issue #49

Closed
ernsyn opened this issue Oct 26, 2018 · 8 comments
Closed

Search function exposes data leakage and a security issue #49

ernsyn opened this issue Oct 26, 2018 · 8 comments
Milestone

Comments

@ernsyn
Copy link

ernsyn commented Oct 26, 2018

Hi Matt,

First of all, good work on 21-points. Been using your project to learn up on JHipster and it really helps.

Anyway, was going through the code and it occurred to me that even if I'm logged in as myself (john), and if I go to "Daily Points" and do a search with the following search parameter - o*, all points that match that parameter will appear. Not just mine. (See screenshot below)

screenshot 2018-10-27 at 12 19 47 am

I was even able to edit the fields of a Point entry that belongs to others and save successfully. (I reverted what I edited so as not to tamper with other user's data).

So there are 2 issues here -

  1. Searching allows a user to search for all items that belongs to all users; not just himself/herself (Not sure how to fix this)
  2. Once I was able to see other user's data, I was able to edit and save successfully. (Should be easily fixable)
@mraible
Copy link
Owner

mraible commented Oct 26, 2018 via email

@ernsyn
Copy link
Author

ernsyn commented Oct 27, 2018

I looked through the link you shared. This fixes issue number 2. Any idea how issue number 1 can be fixed?

@ruddell
Copy link

ruddell commented Oct 28, 2018

You can use the below QueryBuilder to restrict based on the current username if not an admin (same as the getAllPoints endpoint):

BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery().must(queryStringQuery(query));
if (!SecurityUtils.isCurrentUserInRole(AuthoritiesConstants.ADMIN)) {
    queryBuilder = queryBuilder.filter(matchQuery("user.login", SecurityUtils.getCurrentUserLogin().get()));
}
Page<Points> page = pointsSearchRepository.search(queryBuilder, pageable);

@ernsyn
Copy link
Author

ernsyn commented Oct 28, 2018

Thanks @ruddell . Tried it and it works like a charm.

@mraible I'd be happy to provide a PR for this if you do not have the time for ti. Do let me know.

Cheers.

@mraible
Copy link
Owner

mraible commented Oct 29, 2018

@ernsyn A PR would be great. I'm trying to crawl my way out of a mountain of email after being on the road for two weeks.

@ernsyn
Copy link
Author

ernsyn commented Oct 30, 2018

@mraible no problem. I'll come up with a PR as soon as possible.

@ernsyn
Copy link
Author

ernsyn commented Nov 2, 2018

Sorry for not doing the PR earlier @mraible. Was planning to do so this weekend. Thanks for closing this issue.

@mraible
Copy link
Owner

mraible commented Nov 2, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants