-
Notifications
You must be signed in to change notification settings - Fork 985
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #11579 - CVE-2015-5233 - Reports show/destroy not restricted by host authorization #2644
Conversation
The duplication on these API controllers & tests is way too much in my opinion. If you're 🆗 with this patch, we should handle this sooner than later. |
@@ -11,22 +11,25 @@ def index | |||
def show | |||
# are we searching for the last report? | |||
if params[:id] == "last" | |||
conditions = { :host_id => Host.find(params[:host_id]).try(:id) } unless params[:host_id].blank? | |||
conditions = { :host_id => Host.authorized.find(params[:host_id]).try(:id) } unless params[:host_id].blank? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use .authorized(:view_hosts)
rather than plain .authorized, otherwise I think any host permission would be sufficient.
private | ||
|
||
def check_hosts_permission | ||
@resource_base = resource_base.my_reports |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource_base is a method, shouldn't this override it rather than set an instance variable? (And it should be in all controllers.)
@domcleal Updated by overriding the resource_scope/resource_base methods instead of chaining a new filter, thanks for the review! |
|
||
test 'cannot view the last report' do | ||
report = FactoryGirl.create(:report) | ||
get :show, { :id => 'last', :host_id => report.host.id }, set_session_user.merge(:user => User.current) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:id => 'last'
is only applicable to the UI controller, the API controller has a last
action instead. I'm not sure sharing a test for both types of controllers is going to allow easily for these differences?
… host authorization ReportsController 'show' and 'destroy' now perform a check to see if the User is authorized to see the Host associated with the Report. In case it's not, it returns 404, as to not give hints whether a Report ID or Host ID are valid. I followed the same approach on the API controllers. 'last' was not vulnerable due to using my_reports which performs the necessary check on 'view_hosts' permission.
…ot restricted by host authorization
…ot restricted by host authorization
…ot restricted by host authorization
…ot restricted by host authorization
…ot restricted by host authorization
…ot restricted by host authorization
…o review/2750 * 'fix_4151' of https://github.com/shlomizadok/foreman: refs #10782 - Apply global host status changes refs #11579 - Addition of PR theforeman#2644 - Reports show/destroy not restricted by host authorization fixes theforeman#4151 - enable reports STI
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.