From d663972f8a144b283591e46693f0aa27a9f2e859 Mon Sep 17 00:00:00 2001 From: Eli Mesika Date: Wed, 23 Dec 2020 13:15:39 +0200 Subject: [PATCH] core: prevent non-admin users see other users data This patch fixes a security hole that enables regular users to access other user data including administrators. The problem was in the DAO that accesses the users data according to the user permission, the wrong logic was to get all the user data if any permission is found for the given user. This patch modifies the relevant queries in the BLL level to return only the information that the user allowed to see CVE-2020-35497 Change-Id: I5130799027ab79f03b4e25c5f2f2ca4150887719 Bug-Id: https://bugzilla.redhat.com/show_bug.cgi?id=1899938 Signed-off-by: Eli Mesika (cherry picked from commit 40160e6f678d632937a22a8e23370086024f9994) --- .../engine/core/bll/aaa/GetAllDbUsersQuery.java | 17 +++++++++++++++-- .../core/bll/aaa/GetDbUserByUserIdQuery.java | 14 +++++++++++++- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java index e799dbd8f76..4d964b110a9 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java @@ -1,12 +1,17 @@ package org.ovirt.engine.core.bll.aaa; -import javax.inject.Inject; +import java.util.ArrayList; + +import javax.inject.Inject; import org.ovirt.engine.core.bll.QueriesCommandBase; import org.ovirt.engine.core.bll.context.EngineContext; +import org.ovirt.engine.core.common.businessentities.aaa.DbUser; import org.ovirt.engine.core.common.queries.QueryParametersBase; import org.ovirt.engine.core.dao.DbUserDao; + + public class GetAllDbUsersQuery

extends QueriesCommandBase

{ @Inject @@ -18,6 +23,14 @@ public class GetAllDbUsersQuery

@Override protected void executeQueryCommand() { - getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered())); + DbUser currentUser = getUser(); + // A non-admin trying to get other user data will get its own data + if (!currentUser.isAdmin()) { + ArrayList users = new ArrayList<>(); + users.add(currentUser); + getQueryReturnValue().setReturnValue(users); + } else { + getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered())); + } } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java index 52f88740da6..df491489a80 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java @@ -4,6 +4,7 @@ import javax.inject.Inject; import org.ovirt.engine.core.bll.QueriesCommandBase; import org.ovirt.engine.core.bll.context.EngineContext; +import org.ovirt.engine.core.common.businessentities.aaa.DbUser; import org.ovirt.engine.core.common.queries.IdQueryParameters; import org.ovirt.engine.core.dao.DbUserDao; @@ -19,6 +20,17 @@ public class GetDbUserByUserIdQuery

@Override protected void executeQueryCommand() { - getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered())); + DbUser currentUser = getUser(); + if (!currentUser.isAdmin()) { + // unauthorized access + if (!currentUser.getId().equals(getParameters().getId())) { + getQueryReturnValue().setReturnValue(null); + } else { + // A non-admin user can get only its own data + getQueryReturnValue().setReturnValue(dbUserDao.get(currentUser.getId(), false)); + } + } else { + getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered())); + } } } -- 2.27.0