jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OAK-4301) Missing protection for system-maintained rep:externalId
Date Wed, 03 Aug 2016 18:45:20 GMT

    [ https://issues.apache.org/jira/browse/OAK-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15406132#comment-15406132
] 

angela edited comment on OAK-4301 at 8/3/16 6:44 PM:
-----------------------------------------------------

Proposed patch including tests and documentation update.

[~tripod], maybe you want to take a closer look at this? the fix includes a configuration
option that turns on protection of rep:externalId by default. as stated above using a dedicated
mixin type was not feasible without major rewrite of the whole module and i decided to just
impose the protection using the {{ExternalIdentityValidatorProvider}}.

With this enabled:
- writing {{rep:externalId}} is limited to the system session with 1 single exception (i.e.
adding user/group + external id) to keep the xml-import of external users working. [~tripod]
if you have the impression that this was not needed, we could prevent writing altogether.
- {{rep:externalId}} must be of type STRING and single valued
- {{rep:externalId}} must be unique
- the restrictions imposed by {{rep:externalPrincipalNames}} remains unchanged


was (Author: anchela):
Proposed patch including tests and documentation update.

[~tripod], maybe you want to take a closer look at this? the fix includes a configuration
option that turns on protection of rep:externalId by default. as stated above using a dedicated
mixin type was not feasible without major rewrite of the whole module and i decided to just
impose the protection using the {{ExternalIdentityValidatorProvider}}.

With this enabled:
- writing {{rep:externalId}} is limited to the system session with 1 single exception (i.e.
adding user/group + external id) to keep the xml-import of external users working. [~tripod]
if you have the impression that this was not needed, we could prevent writing altogether.
- {{rep:externalId}} must be of type STRING and single valued
- the restrictions imposed by {{rep:externalPrincipalNames}} remains unchanged

> Missing protection for system-maintained rep:externalId 
> --------------------------------------------------------
>
>                 Key: OAK-4301
>                 URL: https://issues.apache.org/jira/browse/OAK-4301
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>            Priority: Critical
>              Labels: security
>             Fix For: 1.5.8
>
>         Attachments: OAK-4301.patch
>
>
> while working on OAK-4101 i noticed that the current implementation doesn't provide any
protection for the system maintained property {{rep:externalId}}, which is intended to be
an identifier for a given synchronized user/group within an external IDP.
> in other words:
> - the system doesn't assert the uniqueness of a given external-id
> - the external-id properties can be changed using regular JCR API 
> up to now i didn't manage to exploit the missing protection with the current default
implementation but i found that minor (legitimate) changes have the potential to turn this
into a critical vulnerability.
> therefore I would strongly recommend to change the default implementation such that the
rep:externalId really becomes system-maintained and prevent any unintentional or malicious
modification outside of the scope of the sync-operations. furthermore uniqueness of this property
should be asserted.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message