The controller AccessTokensController checks user permissions to create and manage personal access tokens as follows:
before_action :verify_user_permission!
# ...
def verify_user_permission!
current_user.groups.where(permit_token: true).any?
end
However, the method verify_user_permission! fails to raise an exception if the user does not belong to a group with the permit_token flag asserted. Hence, a user without the ability to create, revoke and user personal access token can do "forced browsing" to /profile/access_tokens and add or revoke arbitrary tokens, as shown below. Note that the menu option "access token" is not displayed, as the user should not be authorized to use access tokens.
Impact
Impact Unauthorized users can create, edit and revoke personal access tokens. However, tokens cannot be used as authorization checks are correctly performed in BasicAuthController, as shown in the following code snippet:
if token && token.user.groups.where(permit_token: true).any?
@user = token.user
token.update(last_used_at: Time.now.utc)
endPatches
This issue is resolved in commit 01324b. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory:
The controller AccessTokensController checks user permissions to create and manage personal access tokens as follows:
However, the method verify_user_permission! fails to raise an exception if the user does not belong to a group with the permit_token flag asserted. Hence, a user without the ability to create, revoke and user personal access token can do "forced browsing" to /profile/access_tokens and add or revoke arbitrary tokens, as shown below. Note that the menu option "access token" is not displayed, as the user should not be authorized to use access tokens.
Impact
Impact Unauthorized users can create, edit and revoke personal access tokens. However, tokens cannot be used as authorization checks are correctly performed in BasicAuthController, as shown in the following code snippet:
Patches
This issue is resolved in commit 01324b. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory: