Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Graph delete request leaks existence of space #5031

Closed
C0rby opened this issue Nov 10, 2022 · 0 comments · Fixed by #6220
Closed

Graph delete request leaks existence of space #5031

C0rby opened this issue Nov 10, 2022 · 0 comments · Fixed by #6220
Assignees
@2403905
Labels
Priority:p4-low Low priority Severity:sev4-low no loss of service, req. for docs info or enhancement Topic:good-first-issue Topic:Security Type:Bug

Comments

@C0rby
Copy link
Contributor

C0rby commented Nov 10, 2022

Context

oCIS version: v2.0.0-rc.1

Issue

A user could guess space ids of spaces they don't have access to.
Since we are using uuidv4 it's improbable so this issue has a low priority.

Admin space id:

curl -k -s -u einstein:relativity -X DELETE 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157$be65710a-bced-465e-9e1a-72ff269de8ee' | jq .
{
  "error": {
    "code": "notAllowed",
    "innererror": {
      "date": "2022-11-10T15:23:54Z",
      "request-id": "yocto/2IxZGOgPSg-000365"
    },
    "message": "permission denied to delete drive"
  }
}

Non existing space id:

curl -k -s -u einstein:relativity -X DELETE 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157$32bdbe86-9f91-4494-8d38-49d6c0a83955' | jq .
{
  "error": {
    "code": "generalException",
    "innererror": {
      "date": "2022-11-10T15:25:31Z",
      "request-id": "yocto/2IxZGOgPSg-000369"
    },
    "message": "grpc error"
  }
}

Expected

The user should receive a generic error like "drive not found" or something like that if they can't access the drive.
@C0rby C0rby added Type:Bug Topic:Security Priority:p4-low Low priority Severity:sev4-low no loss of service, req. for docs info or enhancement labels Nov 10, 2022
@2403905 2403905 self-assigned this May 3, 2023
2403905 added a commit to 2403905/ocis that referenced this issue May 3, 2023
@2403905
fix Graph delete request leaks existence of space owncloud#5031
81431b8
@2403905 2403905 mentioned this issue May 3, 2023
Merged
9 tasks
2403905 added a commit to 2403905/ocis that referenced this issue May 3, 2023
@2403905
fix Graph delete request leaks existence of space owncloud#5031
0c13c0b
@2403905 2403905 mentioned this issue May 4, 2023
Closed
2403905 added a commit to 2403905/ocis that referenced this issue May 5, 2023
@2403905
fix Graph delete request leaks existence of space owncloud#5031
0925733
2403905 added a commit to 2403905/ocis that referenced this issue May 5, 2023
@2403905
fix Graph delete request leaks existence of space owncloud#5031
106ad7e
2403905 added a commit to 2403905/ocis that referenced this issue May 8, 2023
@2403905
fix Graph delete request leaks existence of space owncloud#5031
d69decd
micbar added a commit that referenced this issue May 8, 2023
@micbar
Merge pull request #6220 from 2403905/issue-5031
e4d674a 
fix Graph delete request leaks existence of space #5031
ownclouders pushed a commit that referenced this issue May 8, 2023
@micbar
Merge pull request #6220 from 2403905/issue-5031
cc70476 
fix Graph delete request leaks existence of space #5031
@micbar micbar mentioned this issue May 8, 2023
Closed
86 tasks
fschade pushed a commit that referenced this issue Jul 10, 2023
@2403905 @fschade
fix Graph delete request leaks existence of space #5031
fa5242d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@2403905 2403905

Labels
Priority:p4-low Low priority Severity:sev4-low no loss of service, req. for docs info or enhancement Topic:good-first-issue Topic:Security Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix Graph delete request leaks existence of space #5031 2403905/ocis
3 participants
@micbar @C0rby @2403905