Revision d213e460
Added by Daniel Lobato Garcia over 8 years ago
test/functional/api/v1/reports_controller_test.rb | ||
---|---|---|
require 'test_helper'
|
||
require 'functional/shared/report_host_permissions_test'
|
||
|
||
class Api::V1::ReportsControllerTest < ActionController::TestCase
|
||
include ::ReportHostPermissionsTest
|
||
|
||
test "should get index" do
|
||
get :index, { }
|
||
assert_response :success
|
||
... | ... | |
get :last, {:host_id => host.to_param }
|
||
assert_response :not_found
|
||
end
|
||
|
||
test 'cannot view the last report without hosts view permission' do
|
||
setup_user('view', 'reports')
|
||
report = FactoryGirl.create(:report)
|
||
get :last, { :host_id => report.host.id }, set_session_user.merge(:user => User.current)
|
||
assert_response :not_found
|
||
end
|
||
end
|
Also available in: Unified diff
Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.
(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)