Project

General

Profile

Actions

Bug #24708

closed

Groups node ids list in API is still exhaustive even with restricted tenant access

Added by Clark ANDRIANASOLO 7 months ago. Updated 7 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

When :
  • I log in as a user in a tenant which has access to a single node root, and I generate an API token
  • OR I use an API account token with the same tenant access

, I can still find all node ids of any group in the groups details endpoint /api/groups/{groupId}/ :


{
  "action": "groupDetails",
  "result": "success",
  "data": {
    "groups": [
      {
         ...,
         "nodeIds": [
           "0e7eedc8-d6af-4d68-a7f8-eec615a4bc1a",
           "root" 
         ]
       }
     ]
   }
}

Especially when I query the group all-nodes-with-cfengine-agent, I can know all node ids in Rudder even outside of my tenant. But I don't have access to node details in /api/nodes/{nodeId}, nor to those nodes in the groups page.

This groups API endpoint should not leak node ids : the list of nodes ids should be filtered to include only the ones in the tenants.


Subtasks 1 (0 open1 closed)

Rudder plugins - Bug #24727: Groups node ids list in API should be filtered by tenant in pluginsReleasedFrançois ARMANDActions

Related issues 1 (1 open0 closed)

Related to Rudder - Bug #24787: Some group endpoints list node ids outside of restricted tenant accessNewClark ANDRIANASOLOActions
Actions #1

Updated by Clark ANDRIANASOLO 7 months ago

  • Status changed from New to In progress
  • Assignee set to Clark ANDRIANASOLO
Actions #2

Updated by Clark ANDRIANASOLO 7 months ago

  • Subtask #24727 added
Actions #3

Updated by Clark ANDRIANASOLO 7 months ago

  • Subtask #24728 added
Actions #4

Updated by Clark ANDRIANASOLO 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5608
Actions #5

Updated by Clark ANDRIANASOLO 7 months ago

  • Status changed from Pending technical review to Pending release
Actions #6

Updated by François ARMAND 7 months ago

  • Fix check changed from To do to Checked
Actions #7

Updated by Clark ANDRIANASOLO 7 months ago

  • Related to Bug #24787: Some group endpoints list node ids outside of restricted tenant access added
Actions #8

Updated by Vincent MEMBRÉ 7 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.1.1 which was released today.

Actions

Also available in: Atom PDF