[MGNLREST-338] References to content in workspaces should not be resolved for users with insufficient rights Created: 24/Nov/21  Updated: 07/Feb/22  Resolved: 09/Dec/21

Status: Closed
Project: Magnolia REST Framework
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Federico Grilli Assignee: Unassigned
Resolution: Not an issue Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screenshot 2021-11-25 at 9.03.14.png     PNG File Screenshot 2021-11-25 at 9.03.40.png     PNG File Screenshot 2021-11-25 at 9.03.50.png     PNG File Screenshot 2021-11-25 at 9.05.18.png     PNG File image-2021-12-09-11-28-16-567.png     PNG File image-2021-12-09-11-28-16-600.png     PNG File image-2021-12-09-11-28-16-642.png    
Issue Links:
relation
is related to CAMPMAN-31 Preview as visitor broken in headless... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

As reported by tmiyar in Slack

[...] We think we might have a security issue here
https://git.magnolia-cms.com/projects/MODULES/repos/rest/browse/magnolia-rest-content-delivery/src/main/java/info/magnolia/rest/delivery/jcr/v2/JcrDeliveryEndpoint.java#349
reference should not be retrieved in system context.
Let’s say I’m user that has read permissions on website workspace but does NOT have read permission on categories workspace.
If category is referenced in some page, reference will be resolved and category will be returned to me (because of the system context).



 Comments   
Comment by Teresa Miyar [ 09/Dec/21 ]

Security issue is not related with the main content of delivery endpoint, it’s related to the referenced content of the delivery endpoint.
For example we have delivery endpoint with bypassWorkspaceAcls set to false and we have referenced content (campaigns):
--> Screen Shot 2021-12-09 at 11.01.34.png

User has read privilege on website workspace, but not on campaign workspace:
--> Screen Shot 2021-12-09 at 11.04.00.png

When we hit the endpoint, campaign is returned although user does not has privilege to read campaigns workspace:
--> Screen Shot 2021-12-09 at 11.05.46.png

From my point of view we need some similar mechanism for the reference resolver as we have on the delivery endpoint:

  • bypassWorkspaceAcls: true/false
  • personalized: true/false

Comment by Jaroslav Simak [ 09/Dec/21 ]

I was referring to references in my comment. The default implementation of resolver info.magnolia.rest.reference.jcr.JcrReferenceResolverDefinition honors ACLs (tried it one more time and it works as expected). If anonymous doesn't have access to referenced workspace, references are not resolved.

In your case, i can see you are using custom implementation to resolve campaigns. That resolver is doing JCR SQL query which might explain why you see reference resolved (could be that ACLs are ignored for queries maybe?). I would look there why the reference is being resolved.

Comment by Teresa Miyar [ 09/Dec/21 ]

It was indeed a problem in CampaignReferenceResolver, thank you for your help

Generated at Mon Feb 12 06:58:56 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.