Bug #16982

CVE-2016-7078 - User with no organizations or locations can see all resources

Added by Daniel Lobato Garcia 11 months ago. Updated 7 months ago.

Status:Closed
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:Security
Target version:Team Daniel - Iteration 9
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4328, https://github.com/theforeman/foreman/pull/4327, https://github.com/theforeman/foreman/pull/4329, https://github.com/theforeman/foreman/pull/3961, https://github.com/theforeman/foreman/pull/3954, https://github.com/theforeman/foreman/pull/4172
Story points-
Velocity based estimate-
Release1.15.0Release relationshipAuto

Description

The default scope for hosts does not restrict properly by taxonomies. Given this use case:

1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.

This should work so that:

- Users without taxonomies, when set to 'any context' cannot see anything 
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.

Pending CVE number.


Related issues

Related to Foreman - Bug #18662: Ensure Taxonomix empty default scope isn't overridden by ... Closed 02/24/2017
Related to Discovery - Bug #18686: Fix broken tests after taxonomy scope change Closed 02/27/2017
Related to Discovery - Bug #19409: Auto provision does not work after taxonomy fix Closed 04/27/2017
Related to Foreman - Bug #20017: Mail notifications not being sent Closed 06/14/2017
Related to Foreman - Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman ... Closed 07/17/2017
Related to Foreman - Bug #20515: User searching by login in code does not find the user be... Closed 08/07/2017
Copied to Katello - Bug #17266: Fix tests that depend on CVE 2016-7078 Closed 10/18/2016

Associated revisions

Revision 5f606e11
Added by Daniel Lobato Garcia 7 months ago

Fixes #16982 - Scope properly when no taxonomies are set

The default scope for hosts and other objects did not restrict
properly by taxonomies. An user without organizations or
locations, could do anything it's permissions allow to.
The list of hosts was unrestricted and showed hosts in
any location or organization.

This is fixed to work so that:

Users without taxonomies, when set to 'any context' cannot see
anything (at all)

Users with taxonomies, when set to 'any context' can see
everything within all of their taxonomies context (including
children taxonomies).

Admins set to 'any context' can see everything - regardless
of whether it has a taxonomy or not.

Users or admins set to some organization/location scope
can only see stuff within scope.

Revision 0804d857
Added by Dominic Cleal 7 months ago

refs #16982 - pass ID, not models into model.find

Revision f16b2068
Added by Dominic Cleal 7 months ago

refs #16982 - remove User.current deassignment (no such user)

Allows the scope change to be reverted, as User.current is no longer set
to `nil` (there is no 'admin' user).

This was relying on a bug in Ruby on Rails 4.2 where the `unscoped` call
filtered through thread variables into Subnet.subnet_for which calls
Subnet.all. This is fixed in 5.0, so the user must be set correctly.

Revision 52bae9f0
Added by Dominic Cleal 7 months ago

refs #16982 - check _ids getters as admin user in taxonomy tests

After a request and User.current is back to nil, the ids getters will
not return any results as the default taxonomix scopes don't permit it.
The clone test was instead testing that _no
records were associated.

Revision 777fecc6
Added by Ohad Levy 5 months ago

fixes #19409 - auto provision now uses anonymous admin (#342)

with the introduction of Bug fix #16982: CVE-2016-7078 - User with no organizations or locations can see all resources added.
Discovery queries without a current user fail, this fixes that.

History

#1 Updated by Dominic Cleal 11 months ago

  • Subject changed from User with no taxonomies can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all hosts
  • Status changed from New to Assigned

#2 Updated by Dominic Cleal 11 months ago

  • Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources

Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).

#3 Updated by The Foreman Bot 11 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3954 added

#4 Updated by The Foreman Bot 11 months ago

  • Pull request https://github.com/theforeman/foreman/pull/3961 added

#5 Updated by Daniel Lobato Garcia 11 months ago

  • Target version set to Team Daniel - iteration 3

#6 Updated by Daniel Lobato Garcia 11 months ago

  • Copied to Bug #17266: Fix tests that depend on CVE 2016-7078 added

#7 Updated by Daniel Lobato Garcia 10 months ago

  • Target version changed from Team Daniel - iteration 3 to Team Daniel - iteration 6

#8 Updated by The Foreman Bot 8 months ago

  • Pull request https://github.com/theforeman/foreman/pull/4172 added

#9 Updated by Daniel Lobato Garcia 8 months ago

  • Target version changed from Team Daniel - iteration 6 to Team Brad - Iteration 11

#10 Updated by Brad Buckingham 7 months ago

  • Target version deleted (Team Brad - Iteration 11)

#11 Updated by Daniel Lobato Garcia 7 months ago

  • Target version set to Team Daniel - Iteration 9

#12 Updated by Anonymous 7 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#13 Updated by Dominic Cleal 7 months ago

  • Release set to 1.15.0

#14 Updated by The Foreman Bot 7 months ago

  • Pull request https://github.com/theforeman/foreman/pull/4327 added

#15 Updated by The Foreman Bot 7 months ago

  • Pull request https://github.com/theforeman/foreman/pull/4328 added

#16 Updated by The Foreman Bot 7 months ago

  • Pull request https://github.com/theforeman/foreman/pull/4329 added

#17 Updated by Dominic Cleal 7 months ago

  • Related to Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopes added

#18 Updated by Lukas Zapletal 7 months ago

  • Related to Bug #18686: Fix broken tests after taxonomy scope change added

#19 Updated by Lukas Zapletal 5 months ago

  • Related to Bug #19313: Auto-provisioning does not orchestrate TFTP added

#20 Updated by Ohad Levy 5 months ago

  • Related to Bug #19409: Auto provision does not work after taxonomy fix added

#21 Updated by Lukas Zapletal 5 months ago

  • Related to deleted (Bug #19313: Auto-provisioning does not orchestrate TFTP)

#22 Updated by Marek Hulán 3 months ago

  • Related to Bug #20017: Mail notifications not being sent added

#23 Updated by Marek Hulán 2 months ago

  • Related to Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2 added

#24 Updated by Marek Hulán about 1 month ago

  • Related to Bug #20515: User searching by login in code does not find the user because of missing unscoped added

Also available in: Atom PDF