Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Bug with client api #1694

Open
MagicRedDeer opened this issue Nov 23, 2021 · 3 comments
Open

Security Bug with client api #1694

MagicRedDeer opened this issue Nov 23, 2021 · 3 comments

Comments

@MagicRedDeer
Copy link
Contributor

MagicRedDeer commented Nov 23, 2021
edited
Loading

Describe the bug

When a client connects to a tactic server using an api such as the tactic_client_lib python api. There is no security for 'admin' and/or 'sthpw' projects.

For e.g. any user who can login to the tactic server without any credentials can query, insert and update sthpw/ticket, sthpw/login, and sthpw/login_in_groups and all other tables, many of which are sensitive to security.

The discussion for this bug has been initiated here

To Reproduce
Steps to reproduce the behavior:

  1. Login using the python api tactic_client_lib
  2. Initiate a query to a sensitive table such as sthpw/ticket or sthpw/login
  3. You will be able to view all information, use it or write back to it, including tickets and hashed passwords.

Expected behavior

The intended behavior of security for tactic_client_lib should be a matter of analysis and debate. But the following can be proposed.

  1. Security should be applied in a manner which has the same effect that is expected on the web interface.
  2. Users should be able to know which projects they have permissions on.
  3. Users should be able to query from entries of the sthpw tables from inside the projects where they have access according to the rules defined.
  4. Users should not be able to change their own security information except those with appropriate access levels.
@diegocortassa
Copy link
Contributor

Thanks @MagicRedDeer, in src/pyasm/search/search.py when api_mode is open (default) the the check for access to security sensitive tables is skipped.
I fixed it in PR #1695

@remkonoteboom I see you started brach 4.9 shuld I submit this PR to that branch too?

remkonoteboom added a commit that referenced this issue Nov 23, 2021
@remkonoteboom
Merge pull request #1695 from diegocortassa/DC-Patch109
00aca96 
Fix security bug, a normal user could query sensitive tables via API (see issue #1694)
@remkonoteboom
Copy link
Contributor

It depends on where you want it fixed. If this is a critical security issue, then it should be in 4.8. If it can wait, then it should be in 4.9. I just started 4.9 because there is work being done that is at early stages (lots of collection updates). I will periodically merge 4.8 to 4.9 so you don't have to worry about that.

@diegocortassa
Copy link
Contributor

Thanks Remko.
Being 4.9 in early stages I think we can wait for the next 4.8 to 4.9 merge.
You or @MagicRedDeer can close this bug as the related PR was merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@diegocortassa @remkonoteboom @MagicRedDeer