Revision be0b9bee
Added by Daniel Lobato Garcia over 8 years ago
app/controllers/api/v2/reports_controller.rb | ||
---|---|---|
include Api::Version2
|
||
include Foreman::Controller::SmartProxyAuth
|
||
|
||
before_filter :find_resource, :only => %w{show update destroy}
|
||
before_filter :find_resource, :only => %w{show destroy}
|
||
before_filter :setup_search_options, :only => [:index, :last]
|
||
|
||
add_smart_proxy_filters :create, :features => ReportImporter.report_features
|
||
... | ... | |
param :id, :identifier, :required => true
|
||
|
||
def last
|
||
conditions = { :host_id => Host.find(params[:host_id]).id } unless params[:host_id].blank?
|
||
max_id = Report.authorized(:view_reports).my_reports.where(conditions).maximum(:id)
|
||
@report = Report.authorized(:view_reports).includes(:logs => [:message, :source]).find(max_id)
|
||
conditions = { :host_id => Host.authorized(:view_hosts).find(params[:host_id]).try(:id) } if params[:host_id].present?
|
||
max_id = resource_scope.where(conditions).maximum(:id)
|
||
@report = resource_scope.includes(:logs => [:message, :source]).find(max_id)
|
||
render :show
|
||
end
|
||
|
||
private
|
||
|
||
def resource_scope(options = {})
|
||
super(options).my_reports
|
||
end
|
||
|
||
def action_permission
|
||
case params[:action]
|
||
when 'last'
|
||
'view'
|
||
else
|
||
super
|
||
end
|
||
end
|
||
end
|
||
end
|
||
end
|
Also available in: Unified diff
Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.
(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)