SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not
Package
Affected versions
>= 1.35.0, < 1.37.1
Patched versions
1.37.1
Description
Published to the GitHub Advisory Database
Oct 14, 2024
Reviewed
Oct 14, 2024
Published by the National Vulnerability Database
Oct 14, 2024
Last updated
Oct 14, 2024
Impact
Clients that have enabled
LookupResources2
and have caveats in the evaluation path for their requests can return a permissionship ofCONDITIONAL
with context marked as missing, even then the context was supplied.LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0
Patches
The bug will be released as part of SpiceDB 1.37.1
Workarounds
Disable LookupResources2 via the
--enable-experimental-lookup-resources
flag by setting it tofalse
References