Project

General

Profile

Actions

Bug #24708

closed

Groups node ids list in API is still exhaustive even with restricted tenant access

Added by Clark ANDRIANASOLO 7 months ago. Updated 7 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

When :
  • I log in as a user in a tenant which has access to a single node root, and I generate an API token
  • OR I use an API account token with the same tenant access

, I can still find all node ids of any group in the groups details endpoint /api/groups/{groupId}/ :


{
  "action": "groupDetails",
  "result": "success",
  "data": {
    "groups": [
      {
         ...,
         "nodeIds": [
           "0e7eedc8-d6af-4d68-a7f8-eec615a4bc1a",
           "root" 
         ]
       }
     ]
   }
}

Especially when I query the group all-nodes-with-cfengine-agent, I can know all node ids in Rudder even outside of my tenant. But I don't have access to node details in /api/nodes/{nodeId}, nor to those nodes in the groups page.

This groups API endpoint should not leak node ids : the list of nodes ids should be filtered to include only the ones in the tenants.


Subtasks 1 (0 open1 closed)

Rudder plugins - Bug #24727: Groups node ids list in API should be filtered by tenant in pluginsReleasedFrançois ARMANDActions

Related issues 1 (1 open0 closed)

Related to Rudder - Bug #24787: Some group endpoints list node ids outside of restricted tenant accessNewClark ANDRIANASOLOActions
Actions

Also available in: Atom PDF