go-driver icon indicating copy to clipboard operation
go-driver copied to clipboard

Published 20 hours ago verified publisher icon arangodb

Able to guess if a DB exists even without the proper permissions

Open Feyko opened this issue 3 years ago • 3 comments

Hi. I believe this could be a big security concern. It also seems it comes from Arango itself so it could be even more of a problem. Using the Client.DatabaseExists method returns a forbidden error if the database doesn't exist and an unauthorized error if the database does exist. I haven't tested other methods like Database.CollectionExists, but I believe the Arango team should look into this

Feyko avatar May 07 '22 20:05 Feyko

@Feyko could you describe "without the proper permission" case?

I was try to reproduce it with a user who has no access to the specific db and for both cases 401 has been returned. BTW Client.DatabaseExists uses following uri: http://localhost:8529/_db/mydb/_api/database/current

jwierzbo avatar May 14 '22 15:05 jwierzbo

@jwierzbo sorry for the slow response. To test the permission I created a database as root and then created a user. Didn't touch anything else, which means the user has no access to the database Both cases do return a 401. However the ErrorMessage changes between not authorized to execute this request and forbidden whether the database exists or not

While I was testing this, I also tested other "Exists" methods. CollectionExists returns forbidden no matter if the collection exists or not and CollectionExists returns no error and false if it doesn't exist but an error 403 with ErrorMessage No access to collection 'collName'

Feyko avatar May 18 '22 21:05 Feyko

While I was testing this, I also tested other "Exists" methods. CollectionExists returns forbidden no matter if the collection exists or not and CollectionExists returns no error and false if it doesn't exist but an error 403 with ErrorMessage No access to collection 'collName'

I'm trying to reproduce this part, but can not understand when follwoing case happens:

`CollectionExists` returns no error and `false` if it doesn't exist but an error 403 with ErrorMessage `No access to collection 'collName'`

If I create a user with no access to Database xxx, then I always get following response - no matter if the collection exist or not:

{
    "error": true,
    "errorNum": 11,
    "errorMessage": "not authorized to execute this request",
    "code": 401
}

jwierzbo avatar Aug 30 '22 14:08 jwierzbo

@Feyko we've been able to reproduce it. Fix is already in devel: https://github.com/arangodb/arangodb/pull/17240

jwierzbo avatar Oct 17 '22 10:10 jwierzbo

Nice!

Feyko avatar Oct 17 '22 10:10 Feyko