Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-1037

Missing permission check when token cache and pre/post filter

    XMLWordPrintable

    Details

    • Template:
      Standard Bug Write-Up Format
    • Sprint:
      CP: sprint 125
    • Story Points:
      5
    • Development Team:
      Core: Platform
    • Release:
      Lotus R1 2022

      Description

      Overview:
      In an env where pre/post filter module is enabled (mod-aes for example), accessing API without permission is allowed.

      Steps to Reproduce:

      1. Set up an env with pre/post filter module enabled (mod-aes-0.0.4 for example)
      2. Create a user with limited permissions and get x-okapi-token
      3. Use above token to access APIs that requires other permissions
      4. The first try will be denied with 403, but following tries will success

      Expected Results:
      API is protected by permissions

      Actual Results:
      API permission protection is void

      Additional Information:
      Disable token cache by setting token_cache_max_size to 0, or disable the pre/post filter module can prevent this security issue.

      Interested parties:
      Adam Dickmeiss, Jakub Skoczen, Craig McNally, Mathew Reno

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                stevel Steve Ellis
                Reporter:
                hji Hongwei Ji
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases