Project

General

Profile

Actions
Copy link

Bug #28404

open

CurrentUser can have unknown actor and query context in snippets

Bug #28404: CurrentUser can have unknown actor and query context in snippets

Added by Clark ANDRIANASOLO 10 days ago. Updated about 10 hours ago.

Status:
Pending release
Priority:
1 (highest)
Assignee:
Pauline IOGNA
Category:
Security
Target version:
9.1.0~alpha2
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I dislike using that feature
User visibility:
First impressions of Rudder
Effort required:
Small
Priority:
60
Name check:
To do
Fix check:
To do
Regression:
No

Description

The current user variable is likely not observed at the right time (looks like the RequestVar issue with Lift variables and ZIO execution)

The expected actor is rudder for that

Files

Download all files
clipboard-202602231618-ogc1d.png (78.7 KB) clipboard-202602231618-ogc1d.png Clark ANDRIANASOLO, 2026-02-23 16:18
clipboard-202602231621-uuumg.png (227 KB) clipboard-202602231621-uuumg.png Clark ANDRIANASOLO, 2026-02-23 16:21
clipboard-202602231618-ogc1d.png
clipboard-202602231621-uuumg.png

Subtasks 3 (2 open1 closed)

Change validation - Bug #28447: Impact of current user actor unknown in change-validationRejectedPauline IOGNAActions
Rudder plugins - Architecture #28484: Impact of current user query context option in plugins snippetsPending technical reviewPauline IOGNAActions
Rudder plugins - Architecture #28485: Impact of current user query context option in private plugins snippetsPending technical reviewPauline IOGNAActions

Related issues 1 (1 open0 closed)

Related to Rudder - Bug #28452: ADR for proper initialization of query context in Lift snippetsPending technical reviewPauline IOGNAActions

Updated by Clark ANDRIANASOLO 10 days ago Actions
Copy link
 #1

clipboard-202602231621-uuumg.png

This does not seem to happen when the webapp does the policy generation by itself :

Updated by Clark ANDRIANASOLO 9 days ago Actions
Copy link
 #2

  • Status changed from New to In progress
  • Assignee set to Clark ANDRIANASOLO

Updated by Clark ANDRIANASOLO 9 days ago Actions
Copy link
 #3

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to Pauline IOGNA
  • Pull Request set to https://github.com/Normation/rudder/pull/6939

Updated by Clark ANDRIANASOLO 9 days ago Actions
Copy link
 #4

  • Category changed from Web - Maintenance to Security

Updated by Clark ANDRIANASOLO 9 days ago Actions
Copy link
 #5

  • Priority changed from N/A to 1 (highest)

In fact, this fact that an unknown user is potentially accessing the UI occurs at several other places : it could be a security issue, so we need to prevent this by adding check and warning logs

Updated by Clark ANDRIANASOLO 7 days ago Actions
Copy link
 #7

  • Subject changed from Change log for policy generation event has unknown actor to CurrentUser can have unknown actor and query context in snippets

Updated by Clark ANDRIANASOLO 6 days ago Actions
Copy link
 #8

  • Subtask #28447 added

Updated by Clark ANDRIANASOLO 3 days ago Actions
Copy link
 #9

  • Pull Request changed from https://github.com/Normation/rudder/pull/6939 to https://github.com/Normation/rudder/pull/6958

Updated by Clark ANDRIANASOLO 3 days ago Actions
Copy link
 #10

  • Related to Bug #28452: ADR for proper initialization of query context in Lift snippets added

Updated by Clark ANDRIANASOLO 2 days ago Actions
Copy link
 #11

  • Target version changed from 9.0.5 to 9.1.0~alpha2
  • Priority changed from 120 to 60

Updated by Clark ANDRIANASOLO 1 day ago Actions
Copy link
 #12

  • Status changed from Pending technical review to Pending release

Updated by Clark ANDRIANASOLO about 11 hours ago Actions
Copy link
 #13

  • Subtask #28484 added

Updated by Clark ANDRIANASOLO about 11 hours ago Actions
Copy link
 #14

  • Subtask #28485 added
Actions
Copy link

Also available in: PDF Atom