Details
-
New Feature
-
Status: Closed (View Workflow)
-
P2
-
Resolution: Done
-
None
-
-
CP: sprint 73
-
Core: Platform
Description
Due to RMB-478, X-Okapi-Token may be returned by module as a response header.
This may lead to privilege escalation: client may get direct access to modulePermissions of the endpoint it is calling.
Okapi cannot strip the header in all cases as it is used as a valid response by mod-login (TODO: consider changing mod-login API to return the token in the body)
Okapi may use the following heuristic to decide if the token should be stripped:
When Okapi makes a request to a module, it adds a special X-Okapi-Token header with a token that contains the user permissions (if any), and module permissions (if the module has any). When a module mistakenly returns the X-Okapi-Token in its response, it will have to be this token. So, Okapi could compare the token to the one it sent to the module, and if they are the same, the header should be removed. But in cases like mod-login actually returning a real token, Okapi can see that it is a different thing, and pass the X-Okapi-Token header back.
TestRail: Results
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
FOLIO-2287 Valid X-Okapi-Token (with permissions) returned on invalid login
-
- Closed
-
-
FOLIO-2564 investigate HTTP Response Header injection
-
- Closed
-
-
-
- Closed
-