99 lines
4.4 KiB
Diff
99 lines
4.4 KiB
Diff
From d663972f8a144b283591e46693f0aa27a9f2e859 Mon Sep 17 00:00:00 2001
|
|
From: Eli Mesika <emesika@redhat.com>
|
|
Date: Wed, 23 Dec 2020 13:15:39 +0200
|
|
Subject: [PATCH] core: prevent non-admin users see other users data
|
|
|
|
This patch fixes a security hole that enables regular users to access
|
|
other user data including administrators.
|
|
The problem was in the DAO that accesses the users data according to the
|
|
user permission, the wrong logic was to get all the user data if any
|
|
permission is found for the given user.
|
|
|
|
This patch modifies the relevant queries in the BLL level to return only
|
|
the information that the user allowed to see
|
|
|
|
CVE-2020-35497
|
|
|
|
Change-Id: I5130799027ab79f03b4e25c5f2f2ca4150887719
|
|
Bug-Id: https://bugzilla.redhat.com/show_bug.cgi?id=1899938
|
|
Signed-off-by: Eli Mesika <emesika@redhat.com>
|
|
(cherry picked from commit 40160e6f678d632937a22a8e23370086024f9994)
|
|
---
|
|
.../engine/core/bll/aaa/GetAllDbUsersQuery.java | 17 +++++++++++++++--
|
|
.../core/bll/aaa/GetDbUserByUserIdQuery.java | 14 +++++++++++++-
|
|
2 files changed, 28 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
|
|
index e799dbd8f76..4d964b110a9 100644
|
|
--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
|
|
+++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
|
|
@@ -1,12 +1,17 @@
|
|
package org.ovirt.engine.core.bll.aaa;
|
|
|
|
-import javax.inject.Inject;
|
|
+import java.util.ArrayList;
|
|
+
|
|
+import javax.inject.Inject;
|
|
|
|
import org.ovirt.engine.core.bll.QueriesCommandBase;
|
|
import org.ovirt.engine.core.bll.context.EngineContext;
|
|
+import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
|
|
import org.ovirt.engine.core.common.queries.QueryParametersBase;
|
|
import org.ovirt.engine.core.dao.DbUserDao;
|
|
|
|
+
|
|
+
|
|
public class GetAllDbUsersQuery<P extends QueryParametersBase>
|
|
extends QueriesCommandBase<P> {
|
|
@Inject
|
|
@@ -18,6 +23,14 @@ public class GetAllDbUsersQuery<P extends QueryParametersBase>
|
|
|
|
@Override
|
|
protected void executeQueryCommand() {
|
|
- getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered()));
|
|
+ DbUser currentUser = getUser();
|
|
+ // A non-admin trying to get other user data will get its own data
|
|
+ if (!currentUser.isAdmin()) {
|
|
+ ArrayList<DbUser> users = new ArrayList<>();
|
|
+ users.add(currentUser);
|
|
+ getQueryReturnValue().setReturnValue(users);
|
|
+ } else {
|
|
+ getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered()));
|
|
+ }
|
|
}
|
|
}
|
|
diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
|
|
index 52f88740da6..df491489a80 100644
|
|
--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
|
|
+++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
|
|
@@ -4,6 +4,7 @@ import javax.inject.Inject;
|
|
|
|
import org.ovirt.engine.core.bll.QueriesCommandBase;
|
|
import org.ovirt.engine.core.bll.context.EngineContext;
|
|
+import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
|
|
import org.ovirt.engine.core.common.queries.IdQueryParameters;
|
|
import org.ovirt.engine.core.dao.DbUserDao;
|
|
|
|
@@ -19,6 +20,17 @@ public class GetDbUserByUserIdQuery<P extends IdQueryParameters>
|
|
|
|
@Override
|
|
protected void executeQueryCommand() {
|
|
- getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered()));
|
|
+ DbUser currentUser = getUser();
|
|
+ if (!currentUser.isAdmin()) {
|
|
+ // unauthorized access
|
|
+ if (!currentUser.getId().equals(getParameters().getId())) {
|
|
+ getQueryReturnValue().setReturnValue(null);
|
|
+ } else {
|
|
+ // A non-admin user can get only its own data
|
|
+ getQueryReturnValue().setReturnValue(dbUserDao.get(currentUser.getId(), false));
|
|
+ }
|
|
+ } else {
|
|
+ getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered()));
|
|
+ }
|
|
}
|
|
}
|
|
--
|
|
2.27.0
|
|
|