[security] Test case and fix for an INSERT security hole
7099bbd685aa introduced a untested corner case in which an Entity with no
attribute specified could be created whatever the permissions.
Report and test case by Christophe de Vienne, fix by Aurelien Campeas. Thanks!
Closes #4854359
--- a/hooks/security.py Wed Nov 26 17:39:59 2014 +0100
+++ b/hooks/security.py Wed Jan 21 15:58:33 2015 +0100
@@ -68,6 +68,12 @@
# going through check_perm.
raise Unauthorized(action, str(rdef))
rdef.check_perm(session, action, eid=eid)
+ if action == 'add' and not etypechecked:
+ # think about cnx.create_entity('Foo')
+ # the standard metadata were inserted by a hook
+ # with a bypass ... we conceptually need to check
+ # the eid attribute at *creation* time
+ entity.cw_check_perm(action)
class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
--- a/server/test/unittest_security.py Wed Nov 26 17:39:59 2014 +0100
+++ b/server/test/unittest_security.py Wed Jan 21 15:58:33 2015 +0100
@@ -112,6 +112,14 @@
self.assertRaises(Unauthorized, self.commit)
self.assertEqual(cu.execute('Personne X').rowcount, 1)
+ def test_insert_security_2(self):
+ with self.login('anon') as cu:
+ cu.execute("INSERT Affaire X")
+ self.assertRaises(Unauthorized, self.commit)
+ # anon has no read permission on Affaire entities, so
+ # rowcount == 0
+ self.assertEqual(cu.execute('Affaire X').rowcount, 0)
+
def test_insert_rql_permission(self):
# test user can only add une affaire related to a societe he owns
with self.login('iaminusersgrouponly') as cu: