/test/functional/reports_controller_test.rb - Diff - Foreman

« Previous | Next »

Revision d213e460

Added by Daniel Lobato Garcia over 8 years ago

ID d213e4609b4c5ac061b6196645c96f771439da5d
Parent bd3f3260
Child aaf7d7a0

Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)

ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.

I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.

(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)

     require 'test_helper'
     require 'functional/shared/report_host_permissions_test'
     class ReportsControllerTest < ActionController::TestCase
       setup do
         User.current = users :admin
       end
       include ::ReportHostPermissionsTest
       def test_index
         get :index, {}, set_session_user
-...
         assert_template 'show'
       end
       test '404 on show when id is blank' do
         get :show, {:id => ' '}, set_session_user
         assert_response :missing
         assert_template 'common/404'
       end
       def test_show_last
         FactoryGirl.create(:report)
         get :show, {:id => "last"}, set_session_user
         assert_template 'show'
       end
       test '404 on last when no reports available' do
         get :show, { :id => 'last', :host_id => FactoryGirl.create(:host) }, set_session_user
         assert_response :missing
         assert_template 'common/404'
       end
       def test_show_last_report_for_host
         report   = FactoryGirl.create(:report)
         get :show, {:id => "last", :host_id => report.host.to_param}, set_session_user
-...
         assert_redirected_to reports_path
       end
       def create_a_report
         @report = Report.import JSON.parse(File.read(File.expand_path(File.dirname(__FILE__) + "/../fixtures/report-empty.json")))
       test 'cannot view the last report without hosts view permission' do
         setup_user('view', 'reports')
         report = FactoryGirl.create(:report)
         get :show, { :id => 'last', :host_id => report.host.id }, set_session_user.merge(:user => User.current)
         assert_response :not_found
       end
       def user_setup
         @request.session[:user] = users(:one).id
         users(:one).roles       = [Role.find_by_name('Anonymous'), Role.find_by_name('Viewer')]
       end
       private
       test 'user with viewer rights should succeed in viewing reports' do
         user_setup
         get :index, {}, set_session_user
         assert_response :success
       def create_a_report
         @report = Report.import JSON.parse(File.read(File.expand_path(File.dirname(__FILE__) + "/../fixtures/report-empty.json")))
       end
     end

Also available in: Unified diff

Project

General

Profile

Revision d213e460

Added by Daniel Lobato Garcia over 8 years ago

Project

General

Profile

Revision d213e460

Added by Daniel Lobato Garcia over 8 years ago

Related issues