Project

General

Profile

« Previous | Next » 

Revision be0b9bee

Added by Daniel Lobato Garcia over 8 years ago

Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)

ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.

I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.

(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)

View differences:

app/controllers/api/v2/reports_controller.rb
include Api::Version2
include Foreman::Controller::SmartProxyAuth
before_filter :find_resource, :only => %w{show update destroy}
before_filter :find_resource, :only => %w{show destroy}
before_filter :setup_search_options, :only => [:index, :last]
add_smart_proxy_filters :create, :features => ReportImporter.report_features
......
param :id, :identifier, :required => true
def last
conditions = { :host_id => Host.find(params[:host_id]).id } unless params[:host_id].blank?
max_id = Report.authorized(:view_reports).my_reports.where(conditions).maximum(:id)
@report = Report.authorized(:view_reports).includes(:logs => [:message, :source]).find(max_id)
conditions = { :host_id => Host.authorized(:view_hosts).find(params[:host_id]).try(:id) } if params[:host_id].present?
max_id = resource_scope.where(conditions).maximum(:id)
@report = resource_scope.includes(:logs => [:message, :source]).find(max_id)
render :show
end
private
def resource_scope(options = {})
super(options).my_reports
end
def action_permission
case params[:action]
when 'last'
'view'
else
super
end
end
end
end
end

Also available in: Unified diff