Project

General

Profile

Bug #16982

CVE-2016-7078 - User with no organizations or locations can see all resources

Added by Daniel Lobato Garcia about 2 years ago. Updated 5 months ago.


Description

The default scope for hosts does not restrict properly by taxonomies. Given this use case:

1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.

This should work so that:

- Users without taxonomies, when set to 'any context' cannot see anything 
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.

Pending CVE number.


Related issues

Related to Foreman - Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopesClosed2017-02-24
Related to Discovery - Bug #18686: Fix broken tests after taxonomy scope changeClosed2017-02-27
Related to Discovery - Bug #19409: Auto provision does not work after taxonomy fixClosed2017-04-27
Related to Foreman - Bug #20017: Mail notifications not being sentClosed2017-06-14
Related to Foreman - Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2Closed2017-07-17
Related to Foreman - Bug #20515: User searching by login in code does not find the user because of missing unscopedClosed2017-08-07
Copied to Katello - Bug #17266: Fix tests that depend on CVE 2016-7078Closed2016-10-18

Associated revisions

Revision 5f606e11 (diff)
Added by Daniel Lobato Garcia almost 2 years ago

Fixes #16982 - Scope properly when no taxonomies are set

The default scope for hosts and other objects did not restrict
properly by taxonomies. An user without organizations or
locations, could do anything it's permissions allow to.
The list of hosts was unrestricted and showed hosts in
any location or organization.

This is fixed to work so that:

Users without taxonomies, when set to 'any context' cannot see
anything (at all)

Users with taxonomies, when set to 'any context' can see
everything within all of their taxonomies context (including
children taxonomies).

Admins set to 'any context' can see everything - regardless
of whether it has a taxonomy or not.

Users or admins set to some organization/location scope
can only see stuff within scope.

Revision 0804d857 (diff)
Added by Dominic Cleal almost 2 years ago

refs #16982 - pass ID, not models into model.find

Revision f16b2068 (diff)
Added by Dominic Cleal almost 2 years ago

refs #16982 - remove User.current deassignment (no such user)

Allows the scope change to be reverted, as User.current is no longer set
to `nil` (there is no 'admin' user).

This was relying on a bug in Ruby on Rails 4.2 where the `unscoped` call
filtered through thread variables into Subnet.subnet_for which calls
Subnet.all. This is fixed in 5.0, so the user must be set correctly.

Revision 52bae9f0 (diff)
Added by Dominic Cleal almost 2 years ago

refs #16982 - check _ids getters as admin user in taxonomy tests

After a request and User.current is back to nil, the ids getters will
not return any results as the default taxonomix scopes don't permit it.
The clone test was instead testing that _no
records were associated.

Revision 777fecc6 (diff)
Added by Ohad Levy over 1 year ago

fixes #19409 - auto provision now uses anonymous admin (#342)

with the introduction of Bug fix #16982: CVE-2016-7078 - User with no organizations or locations can see all resources added.
Discovery queries without a current user fail, this fixes that.

History

#1 Updated by Dominic Cleal about 2 years ago

  • Subject changed from User with no taxonomies can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all hosts
  • Status changed from New to Assigned

#2 Updated by Dominic Cleal about 2 years ago

  • Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources

Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).

#3 Updated by The Foreman Bot about 2 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3954 added

#4 Updated by The Foreman Bot about 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/3961 added

#5 Updated by Daniel Lobato Garcia about 2 years ago

  • Target version set to 1.5.2

#6 Updated by Daniel Lobato Garcia about 2 years ago

  • Copied to Bug #17266: Fix tests that depend on CVE 2016-7078 added

#7 Updated by Daniel Lobato Garcia about 2 years ago

  • Target version changed from 1.5.2 to 1.4.3

#8 Updated by The Foreman Bot almost 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4172 added

#9 Updated by Daniel Lobato Garcia almost 2 years ago

  • Target version changed from 1.4.3 to 169

#10 Updated by Brad Buckingham almost 2 years ago

  • Target version deleted (169)

#11 Updated by Daniel Lobato Garcia almost 2 years ago

  • Target version set to 1.11.0

#12 Updated by Anonymous almost 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#13 Updated by Dominic Cleal almost 2 years ago

  • Legacy Backlogs Release (now unused) set to 209

#14 Updated by The Foreman Bot almost 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4327 added

#15 Updated by The Foreman Bot almost 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4328 added

#16 Updated by The Foreman Bot almost 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4329 added

#17 Updated by Dominic Cleal almost 2 years ago

  • Related to Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopes added

#18 Updated by Lukas Zapletal almost 2 years ago

  • Related to Bug #18686: Fix broken tests after taxonomy scope change added

#19 Updated by Lukas Zapletal over 1 year ago

  • Related to Bug #19313: Auto-provisioning does not orchestrate TFTP added

#20 Updated by Ohad Levy over 1 year ago

  • Related to Bug #19409: Auto provision does not work after taxonomy fix added

#21 Updated by Lukas Zapletal over 1 year ago

  • Related to deleted (Bug #19313: Auto-provisioning does not orchestrate TFTP)

#22 Updated by Marek Hulán over 1 year ago

  • Related to Bug #20017: Mail notifications not being sent added

#23 Updated by Marek Hulán over 1 year ago

  • Related to Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2 added

#24 Updated by Marek Hulán over 1 year ago

  • Related to Bug #20515: User searching by login in code does not find the user because of missing unscoped added

Also available in: Atom PDF