Security: Add missing authorization checks to web handlers#5304
Open
Ashutosh0x wants to merge 1 commit into
Open
Security: Add missing authorization checks to web handlers#5304Ashutosh0x wants to merge 1 commit into
Ashutosh0x wants to merge 1 commit into
Conversation
- issue_redirector: Use access.check_access_and_get_testcase() instead of helpers.get_testcase() to enforce testcase access control before redirecting to issue URLs - coverage_report: Add access.has_access(job_type=job) check before serving coverage data for any job - update_issue: Verify user association with target issue before allowing cross-object issue modifications via privileged service account
Author
|
@oliverchang @jonathanmetzman Hi! This PR adds missing authorization checks to three web handlers, extending the scope of #5258 / PR #5259:
The CLA is signed. All basic checks passed. Could you please review and trigger the CI test suite? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add missing authorization checks to three web handlers in ClusterFuzz to prevent unauthorized access to testcase data, coverage reports, and cross-object issue manipulation.
Problems Fixed
1. issue_redirector.py - Missing Access Control
The handler uses
helpers.get_testcase()which only checks if a testcase exists, NOT if the current user has permission to view it. This leaks private issue tracker URLs to unauthorized users.Fix: Replaced with
access.check_access_and_get_testcase()which enforces proper permission checks.2. coverage_report.py - Missing Job-Level Authorization
Any authenticated user can request coverage reports for any fuzzer job across any project, regardless of their access level.
Fix: Added
access.has_access(job_type=job)check before serving coverage data.3. update_issue.py - Cross-Object Authorization Bypass (IDOR)
The handler checks if the user has access to the testcase, but NOT to the target issue. Since it runs as a high-privilege service account, it can post comments and modify metadata on private issues in other projects.
Fix: Added user-association check verifying the requesting user is an admin, privileged user, or explicitly associated (reporter/assignee/CC) with the target issue.
Impact
Without these fixes:
Related
This PR extends the scope of #5258 by also fixing the cross-object authorization bypass in
update_issue.py, which is not covered by PR #5259.