New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server: bundle-owned policy could be renamed #4846
Labels
Comments
srenatus
added a commit
that referenced
this issue
Jul 6, 2022
Before, we'd only check if the NEW policy path was owned by a bundle. Now, we'll also check if the to-be-updated policy is owned by a bundle. If so, return an error. Fixes #4846 Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
srenatus
added a commit
to srenatus/opa
that referenced
this issue
Jul 7, 2022
…#4847) Before, we'd only check if the NEW policy path was owned by a bundle. Now, we'll also check if the to-be-updated policy is owned by a bundle. If so, return an error. Fixes open-policy-agent#4846 Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
ashutosh-narkar
pushed a commit
to ashutosh-narkar/opa
that referenced
this issue
Jul 7, 2022
…#4847) Before, we'd only check if the NEW policy path was owned by a bundle. Now, we'll also check if the to-be-updated policy is owned by a bundle. If so, return an error. Fixes open-policy-agent#4846 Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com> (cherry picked from commit b2bf19f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a bundle owns a certain root, and contains policies, policies under that root could be replaced via the REST API because of a missing bundle scope check:
With a bundle manifest like
and this policy in the bundle,
we find:
where
y.rego
is⚡ While the DELETE is properly protected, and PUT requests keeping the package path intact are, too; PUTs with a different target package path are processed as-is. We're missing a check here.
The text was updated successfully, but these errors were encountered: