[OKAPI-1037] Missing permission check when token cache and pre/post filter - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: 4.8.2, 4.9.0
Fix Version/s: 4.10.0
Labels:

Template:

Standard Bug Write-Up Format
Sprint:
CP: sprint 125
Story Points:
5
Development Team:
Core: Platform
Release:
Lotus R1 2022

Description

Overview:
In an env where pre/post filter module is enabled (mod-aes for example), accessing API without permission is allowed.

Steps to Reproduce:

Set up an env with pre/post filter module enabled (mod-aes-0.0.4 for example)
Create a user with limited permissions and get x-okapi-token
Use above token to access APIs that requires other permissions
The first try will be denied with 403, but following tries will success

Expected Results:
API is protected by permissions

Actual Results:
API permission protection is void

Additional Information:
Disable token cache by setting token_cache_max_size to 0, or disable the pre/post filter module can prevent this security issue.

Interested parties:
adam, jakub, cmcnally, mreno

TestRail: Results

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

okapi-1037.sh
2 kB
15/Oct/21 11:01 AM

Issue Links

relates to

MODAT-107 Filter returns X-Okapi-Module-Tokens on error

Closed

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Steve Ellis

Reporter:: Hongwei Ji

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 22/Sep/21 9:00 AM

Updated:: 04/Jan/22 10:06 PM

Resolved:: 19/Oct/21 7:21 PM

Missing permission check when token cache and pre/post filter

Details

Description

TestRail: Results

Attachments

Attachments

Issue Links

Activity

People

Dates

TestRail: Runs

TestRail: Cases